CITRIX R

Client for 32-bit Windows Administrator’s GuideFor other guides in this document set, go to the Document Center

MetaFrame Presentation Server Client for 32-bit Windows, Version 9.xCitrix® MetaFrame® Presentation Server 4.0 for Windows®Citrix® MetaFrame® Access Suite

Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A copy of the End User License Agreement is included in the root directory of the Components CD-ROM.

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.

Copyright ©1999-2005 Citrix Systems, Inc. All rights reserved.

Citrix, MetaFrame, MetaFrame XP, NFuse, ICA (Independent Computing Architecture) and Program Neighborhood are registered trademarks, and Citrix Solutions Network, and SpeedScreen are trademarks of Citrix Systems, Inc. in the United States and other countries.

Microsoft, MS-DOS, Windows, Windows NT, ActiveX, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United States of America and other countries.

RSA Encryption © 1996-1997 RSA Security Inc., All Rights Reserved.

Novell Directory Services, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States of America and other countries. Novell Client is a trademark of Novell, Inc.

UNIX is a registered trademark of The Open Group in the United States of America and other countries.

This software is based in part on the work of the Independent JPEG Group.

Portions of this software are based on code owned and copyrighted by O'Reilly Media, Inc. 1998. (CJKV Information Processing, by Ken Lunde. ISBN: 1565922247.) All rights reserved.

All other trademarks and registered trademarks are the property of their respective owners.

Last Updated: March 10, 2005 8:51 am (GG)

Go to Document Center Contents 3

Contents

Chapter 1 IntroductionOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Deciding Which Client to Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Program Neighborhood Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Web Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Program Neighborhood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

New in this Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Accessing Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 2 Deploying and Installing Client SoftwareInstallation Files for the Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

The Access Client for MetaFrame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18The Client Packager and MSI Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Self-Extracting Executables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Cabinet Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Configuring Your Installation Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20MSI Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Self-Extracting Executables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Deploying Your Installation Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Deploying Clients from a Network Share Point . . . . . . . . . . . . . . . . . . . . . . . . 27Deploying the Web Client from a Web Page. . . . . . . . . . . . . . . . . . . . . . . . . . . 28Creating Client Installation Disks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Installation Options for the Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Installing the Program Neighborhood Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Installing the Web Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Installing Program Neighborhood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Chapter 3 Configuring Client SoftwareConfiguring the Program Neighborhood Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Overview of the Program Neighborhood Agent . . . . . . . . . . . . . . . . . . . . . . . . 33Customizing User Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Changing the URL of the Web Interface Server . . . . . . . . . . . . . . . . . . . . . . . . 35

4 Client for 32-bit Windows Administrator’s Guide Go to Document Center

Configuring Program Neighborhood. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Connecting to Published Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Improving Performance over Low-Bandwidth Connections. . . . . . . . . . . . . . . 42

Chapter 4 Optimizing the Client EnvironmentSecuring Your Client Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Windows NT Challenge/Response (NTLM) Support . . . . . . . . . . . . . . . . . . . . 45Certificate Revocation List Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Smart Card Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46SSPI/Kerberos Security for Pass-Through Authentication . . . . . . . . . . . . . . . . 47

Improving Client Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50SpeedScreen Browser Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Auto-Client Reconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Session Reliability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Program Neighborhood Quick Launch Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Connecting Client Devices and Published Resources. . . . . . . . . . . . . . . . . . . . . . . 52Workspace Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52PDA Synchronization with Tethered USB Connections . . . . . . . . . . . . . . . . . . 53TWAIN Redirection Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Mapping Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Enabling Extended Parameter Passing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Improving the User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Digital Dictation Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Configuring Multiple Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Improving Print Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Client Session Support for Windows Key Combinations . . . . . . . . . . . . . . . . . 65

Supporting NDS Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Connecting to MetaFrame Presentation Server for UNIX . . . . . . . . . . . . . . . . . . . 67

Using the Window Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Cutting and Pasting Graphics Using ctxgrab and ctxcapture. . . . . . . . . . . . . . . 69

Supporting Naming Conventions for Your Network . . . . . . . . . . . . . . . . . . . . . . . 71Dynamic Client Name Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71DNS Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Go to Document Center Contents 5

Chapter 5 Securing Client CommunicationConnecting through a Proxy Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Program Neighborhood Agent and the Web Client . . . . . . . . . . . . . . . . . . . . . . 73Program Neighborhood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Connecting with the Secure Gateway or Citrix SSL Relay . . . . . . . . . . . . . . . . . . 77The Secure Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Citrix SSL Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Configuring and Enabling Clients for SSL and TLS . . . . . . . . . . . . . . . . . . . . . 81Installing Root Certificates on the Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Securing the Program Neighborhood Agent with SSL/TLS . . . . . . . . . . . . . . . 84Enabling Smart Card Logon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Connecting through a Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Chapter 6 Updating Client SoftwareAbout the Client Auto Update Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

The Client Update Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Configuring the Client Update Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Using the ICA Client Update Configuration Utility . . . . . . . . . . . . . . . . . . . . . 91Creating a New Client Update Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Specifying a Default Client Update Database . . . . . . . . . . . . . . . . . . . . . . . . . . 93Configuring Default Client Update Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Adding Clients to the Client Update Database. . . . . . . . . . . . . . . . . . . . . . . . . . 96Removing a Client from the Client Update Database . . . . . . . . . . . . . . . . . . . . 96Changing the Properties of the Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Go to Document CenterCHAPTER 1

Introduction

This manual is for system administrators responsible for installing, configuring, deploying, and maintaining the MetaFrame Presentation Server Clients for 32-bit Windows.

This manual assumes knowledge of:

• The server farm to which your clients connect

• The operating system on the client device (Windows 9x, Windows Me, Windows NT, Windows 2000, Windows XP, or Windows 2003)

• Installation, operation, and maintenance of network and asynchronous communication hardware, including serial ports, modems, and device adapters

OverviewThis chapter introduces Version 9.x of the Citrix clients for computers running 32-bit Windows operating systems. It is designed to help you decide which clients to use in your computing environment and also details the new features included in this release.

MetaFrame Presentation Server allows you to publish a variety of resources for remote access by users. These resources include applications (executables), content files (non-executables, such as text or video files), and entire server desktops. When referring to all types of resources you can publish, this document uses the term published resources. When referring to published content files or published desktops, this document uses the term published content, or published desktop, respectively.

MetaFrame Presentation Server Clients are the components of MetaFrame Presentation Server that users run on their computers to access resources published on servers running MetaFrame Presentation Server. The clients combine ease of deployment and use, and offer quick, secure access to applications, content, and entire server desktops.


Deciding Which Client to UseDifferent enterprises have different corporate needs, and your expectations and requirements for the way users access your published resources may shift as your corporate needs evolve and grow. This section summarizes the clients you can use and how to decide which one best suits your needs.

MetaFrame Presentation Server offers you a choice of the following clients for use on 32-bit Windows systems:

• Program Neighborhood Agent

• Program Neighborhood

• Web Client (two versions)

Note For information about clients for other client devices and operating systems, see the documentation included on your MetaFrame Presentation Server Components CD or visit our Web site at http://www.citrix.com/.

Each of the clients for use with 32-bit Windows differs in terms of:

• Access method by which published resources are delivered to users. Published resources can be delivered to users by three different methods—on the desktop, through a Web browser, or through a user interface.

• Extent of user involvement in configuring, administering, and managing the client.

• Support for the MetaFrame Presentation Server feature set. For a complete list of client features, refer to the Client Feature Matrix available from the Client Download page of the Citrix Web site (http://www.citrix.com).

To decide which client best fits your needs, consider the way you want users to access your published resources, the way you want to manage this access, and the feature set that your users will need. The following sections and table summarize these considerations.

http://www.citrix.com/


http://www.citrix.com

Go to Document Center Chapter 1 Introduction 9

Program Neighborhood AgentThe Program Neighborhood Agent is a client that supports the full MetaFrame Presentation Server feature set. It is centrally administered and configured in the MetaFrame Access Suite Console using a Program Neighborhood Agent Site created in association with a site for the server running Web Interface for MetaFrame Presentation Server.

Access Method. The Program Neighborhood Agent allows your users to access all of their published resources from a familiar Windows desktop environment. Users work with your published resources the same way they work with local applications and files. Published resources are represented throughout the client desktop, including the Start menu and the Windows notification area, by icons that behave just like local icons. Users can double-click, move, and copy icons; and create shortcuts in their locations of choice. The Program Neighborhood Agent works in the background. Except for a shortcut menu available from the notification area, it does not have a user interface.

Client Management and Administration. Program Neighborhood Agent is configured at a site created in the Access Suite Console and associated with the site for the server running the Web Interface. By using the Access Suite Console in this way, you can dynamically manage and control your client population throughout your network from a single location and in real time.

Because client-server data transfer occurs over standard HTTP or HTTPS protocols, you can use the Program Neighborhood Agent with firewalls using port 80 (for HTTP) or 443 (for HTTPS).

Web ClientThe Web Client is a smaller client that allows for quick distribution. It is available in .cab file format for Internet Explorer users for quick download and installation. There are two versions of the Web Client: a full client and a minimal client.

• The full Web Client is available as a self-extracting executable and as a .cab file. The Web Client setup files are significantly smaller than the other clients. The smaller size allows users to more quickly download and install the client software.

• The minimal Web Client is a smaller version of the Web Client designed to support the core functions of MetaFrame Presentation Server for users running Internet Explorer. This version of the Web Client is the smallest available for use with MetaFrame Presentation Server. Use this client when your environment requires a small download and minimal functionality, or in environments where installing a traditional client may not be allowed by security settings.


Access Method. If you want users to access your published resources from within their familiar Web browsers, use the Web Client. Users access published resources from within their Web browser by clicking links on a Web page you publish on your corporate intranet or the Internet. Clicking a link launches the published resource, either within the same browser window or in a new, separate browser window. The Web Client does not require user configuration. It works in the background and does not have a user interface.

Client Management and Administration. You can use the Web Client to access resources available from the Web Interface, and for access to resources published with traditional Application Launching and Embedding (ALE). Publish links to your resources with the Web Interface or by using an HTML wizard.

This client requires the presence on client devices of Microsoft Internet Explorer 5.0 through 6.0, Service Pack 1, or of Netscape Navigator 4.78, and 6.2 through 7.1.

Web Client (Minimal Installation)A smaller version of the Web Client, the minimal installation client is ideal for environments that do not require features such as COM port mapping, universal print driver, or client audio, for example.

Program NeighborhoodProgram Neighborhood supports the full MetaFrame Presentation Server feature set and it requires user configuration and management. Program Neighborhood cannot be configured from a centralized site, such as the Program Neighborhood Agent Site; thus, it does not require the Web Interface for MetaFrame Presentation Server.

Access Method. If you want users to access your published resources from within a distinctive user interface, use Program Neighborhood. Using Program Neighborhood, users can browse for sets of published resources (referred to as application sets) or create custom connections to individual published resources or to servers running MetaFrame Presentation Server. Icons representing application sets and custom ICA connections appear in the Program Neighborhood window.

Client Management and Administration. You can configure options for Program Neighborhood using its interface or you can set up scripted updates using various .ini files. For this reason, users running Program Neighborhood must be able to navigate through the interface easily and be able to understand the implications of any changes to their options.

Choose Program Neighborhood if you do not want to publish your resources using the Web Interface. If you choose to implement the Web Interface at a later time, Program Neighborhood users can also access resources published through the Web Interface. If you are planning to use the Web Interface and have not yet deployed any clients, use the Program Neighborhood Agent or the Web Client.


ClientAccess Method User Involvement

Client Features

Program Neighborhood Agent Transparent integration of published resources into user’s desktop

Central administration of user settings

Supports the full feature set of MetaFrame Presentation Server.

Web Client Web browser-based access to published resources

Central administration of user settings

Full version supports the full feature set of MetaFrame Presentation Server. Minimal version supports most of the features.

Program Neighborhood Program Neighborhood user interface

Requires initial user configuration

Supports the full feature set of MetaFrame Presentation Server.


New in this ReleaseVersion 9.x of the clients ships with MetaFrame Presentation Server 4.0 for Windows, and runs on Windows 9x, Windows NT 4.0, Windows 2000, Windows 2003, and Windows XP operating systems. It introduces a wide range of new features and performance improvements, and is fully backward compatible with earlier versions of Windows and MetaFrame XP feature releases.

Highlights of Version 9.x of the clients include:

Advanced Universal Printing. MetaFrame Presentation Server now uses the Windows Enhanced MetaFile Format (EMF) for transferring print jobs from client to server to improve printing performance, especially time-to-print. Also, the ability to tailor printer settings to the capabilities of the underlying client printer is provided through the use of a generic printer driver.

The following enhancements are provided by these features:

• Generic universal printer driver supporting all common printer device settings and forms.

• Capabilities/forms filtering—printer driver adjusts common print preferences and device settings based on capabilities and default settings of remote printer/driver.

• EMF print processor (server)—custom print processor to capture and marshal EMF spool files.

• EMF renderer (client)—a print preview application invoked to handle print jobs. This print preview allows the pages of a print job to be inspected visually and then directed to any client printer of the user’s choice through a standard Windows print dialog box. Alternatively, the user can cancel the print job.

Print Provider and Port Monitor Improvements. Other printing enhancements in this release of MetaFrame Presentation Server improve the usability of client printing through ICA and also provide a more consistent user experience. Among the ways that this is done:

• Shorter, more user-friendly client printer names

• Dynamic printers and ports—client printers and ports are visible and accessible only within the session context in which they are created

• Backward compatibility to support printer and port names derived from client names

• Extended printer properties inheritance—device/driver-specific printer property inheritance for Windows clients equipped with identical drivers

• New client printer policies available for configuration in the Presentation Server Console


TWAIN Redirection Support. MetaFrame Presentation Server can now redirect client-connected imaging devices, notably document scanners, from the client to the server. This allows users to control client-attached imaging devices from applications that run on the server. The redirection is transparent.

To capture an image, users connect to a farm server from a client device that has an imaging device and the associated vendor-supplied TWAIN driver installed locally. When the TWAIN application is run from within this session, the application detects and interacts with the client-side device. The server-based application that is accessed behaves the same as a client-based application.

This feature contains two new policy rules that allow it to be customized.

• The first rule controls whether or not to use JPEG compression

• The second rule allows bandwidth limits to be set for the feature

Program Neighborhood Quick Launch Bar. The Program Neighborhood client now includes a Quick Launch Bar that enables users to quickly and easily connect to a server without having to go through a wizard to create an ICA connection. Server connections can be made by simply entering the server name or address in the Quick Launch Bar and clicking a Go button. An Options button also allows users to configure properties of the quick launch connection.

PDA Synchronization with Tethered USB Connections. This feature allows the synchronization of a client-connected USB PDA device using application software running in a groupware environment, rather than only with applications on the client device. This feature supports USB-tethered and Microsoft Windows powered PDAs that use ActiveSync as a synchronization agent.

PDA Synchronization:

• Supports all features of ActiveSync

• Implements full Plug-and-Play (PnP) support for USB-tethered Windows CE-based PDAs

• Works for pass-through ICA connections and reconnection to disconnected sessions


Improved Multi-Monitor Support. MetaFrame Presentation Server now better supports client environments equipped with multiple monitors. Multi-monitor enhancements enable users to:

• Connect seamlessly to published applications without having to modify primary monitor settings. It is no longer necessary to set the top leftmost monitor as the primary monitor.

• Maximize applications to the full size of the client monitor from which the application was maximized, rather than maximizing to either the primary monitor or to all monitors.

• Allow application menus to appear in the correct locations, rather than appearing only on the primary monitor.

Improved Support for File-Locking Rules. Client drive mapping for MetaFrame Presentation Server now supports and respects operating system file locking rules. When a file is opened, the remote file system driver locks it on both the server and client sides. This prevents possible versioning conflicts brought about by simultaneous use from multiple clients.

Client Session Support for Windows Key Combinations. Program Neighborhood and Program Neighborhood Agent now allow the pass-through of Windows keyboard shortcuts within a remote client session. These shortcuts perform particular actions when pressed; for example, ALT+TAB cycles through open applications.


Accessing DocumentationThis guide is part of the MetaFrame Presentation Server documentation set. The documentation set includes online guides that correspond to different features of MetaFrame Presentation Server. Online documentation is provided as Adobe Portable Document Format (PDF) files.

Use the Document Center to access the complete set of online guides. The Document Center provides a single point of access to the documentation that enables you to go straight to the section of the documentation that you need. The Document Center includes:

• A list of common tasks and a link to each item of documentation.

• A search function that covers all the PDF guides. This is useful when you need to consult a number of different guides.

• Cross-references among documents. You can move among documents as often as you need using the links to other guides and the links to the Document Center.

Access the Document Center on the server on which MetaFrame Presentation Server is installed by choosing Start > Programs > Citrix > MetaFrame Presentation Server > Documentation.

Important To view, search, and print the PDF documentation, you need to have Adobe Reader 5.0.5 or later with Search. You can download Adobe Reader for free from Adobe Systems’ Web site at http://www.adobe.com/.

If you prefer to access the guides without using the Document Center, you can navigate to the component PDF files using Windows Explorer. If you prefer to use printed documentation, you can also print each guide from Adobe Reader.

More information about Citrix documentation and details about how to obtain further information and support is included in Getting Started with MetaFrame Presentation Server.

http://www.adobe.com/


Deploying and Installing Client Software

The Components CD included in your MetaFrame Presentation Server media pack contains installation files for all the MetaFrame Presentation Server Clients for 32-bit Windows in the ICAWeb\en\ica32 directory.

This chapter discusses the steps necessary for deploying and installing your client software, including:

• Identifying the installation file you will be using

• Configuring the installation package to limit user interaction in the installation process

• Deploying the installation package to users

• Installing the client software; specifically, the options that the Setup wizard will present to your users

Important If you are using the self-extracting executable files, do not install the Program Neighborhood Agent and Program Neighborhood on the same client device. Client features may be adversely affected and removal of one of the clients will remove common registry settings.


Installation Files for the Client SoftwareYou can install the MetaFrame Presentation Server Clients for 32-bit Windows using the Access Client, an MSI package, a self-extracting executable file, or a cabinet file.

Note Each client installation that includes a MetaFrame Presentation Server Client includes the Program Neighborhood Connection Center, allowing users to see information about their current ICA connections.

The Access Client for MetaFrameThe products in the MetaFrame Access Suite require that various pieces of client software be installed on your users’ devices. If you are using multiple products within the suite, you can use the Access Client for MetaFrame to create a Windows Installer package that contains the client software pieces you need to deploy.

The Access Client contains all of the client-side pieces of the MetaFrame Access Suite, allowing you to quickly and easily deploy and maintain the client-side software to your users using one convenient Windows Installer package. After you deploy your client software, you can update your installations simply by creating and deploying an updated installation package using the latest version of the Access Client Manager.

The Access Client is available in the Download section of the Citrix Web site, www.citrix.com, and contains up-to-date client software and hotfixes for MetaFrame Presentation Server, MetaFrame Password Manager, and MetaFrame Secure Access Manager.

Creating a Client Distribution PackageRun the Access Client in administrative mode to select the client-side software pieces you want to package together by entering the following at a command line:

msiexec.exe /a [path to msi file]

Select your client components, and optionally customize the installation process of each client. Additionally, you can choose to reduce the overall size of the final distribution package by selecting the option to remove unused files.

Distributing and Installing Your Client Software PackageAfter you create your client software package, you can make it available to your users on a network share point or distribute it using your Active Directory infrastructure.

Go to Document Center Chapter 2 Deploying and Installing Client Software 19

Client devices must meet the requirements of each client software component within your package. For example, if you attempt to install a package that includes the MetaFrame Password Manager agent and the Advanced Gateway client on a device that does not meet the requirements for the MetaFrame Password Manager agent, only the Advanced Gateway client is installed.

The software package you create using the Access Client Manager upgrades previously installed client software on your client devices. For example, if you create a Windows Installer package that includes Program Neighborhood Agent, installing that package on a device that has a version of Program Neighborhood Agent upgrades Program Neighborhood Agent automatically.

To uninstall a client that was installed or upgraded using a Windows Installer package, users must run the Add/Remove Programs utility from the Control Panel, or run the installer package again and select the Remove option.

For more information about the Access Client, along with a full list of included clients, see the Download section of the Citrix Web site at www.citrix.com.

The Client Packager and MSI PackagesAn MSI package, Ica32Pkg.msi, is provided on the Components CD. The file is approximately 3.3MB in size. Using the Client Packager for MetaFrame Presentation Server, you can wrap all of the 32-bit clients into a single MSI package. You can customize the Client Packager to deploy and maintain any number and combination of clients network-wide. Based on Windows Installer technology, the client packager lets you install, uninstall, modify, and repair clients as well as perform controlled client upgrades. An easy-to-use wizard guides you through the configuration step by step.

To uninstall a client that was installed with a Windows Installer package, run the Add/Remove Programs utility from the Control Panel or run the installer package again and select the Remove option.

Important To install the client software using an MSI package, the Windows Installer Service must be installed on the client device. This service is present by default on systems running Windows XP, Windows 2000 Server, or Windows Server 2003. To install clients on client devices running earlier versions of the Windows operating system, you must use the self-extracting executable or install the Windows Installer 2.0 Redistributable for Windows, available at http://www.microsoft.com/.

http://www.microsoft.com/



Self-Extracting ExecutablesA self-extracting executable file exists for each of the 32-bit Windows clients:

• Ica32a.exe – a self-extracting executable for Program Neighborhood Agent, approximately 3.8MB in size

• Ica32t.exe – a self-extracting executable for the Web Client, approximately 2.7MB in size

• Ica32.exe – a self-extracting executable for Program Neighborhood, approximately 4.3MB in size

Cabinet FilesCabinet files provide the capability for users to install the Web Client or Program Neighborhood from a Web page automatically.

• Wficat.cab – a cabinet file for the Web Client, approximately 2.3MB in size

• Wficac.cab – a cabinet file for the Web Client (minimal install), approximately 1.4MB in size

• Wfica.cab – a cabinet file for Program Neighborhood, approximately 4.1MB in size

Configuring Your Installation FilesBefore deploying an MSI package or a self-extracting executable file, you can preconfigure numerous settings for your users. You can remove some user interaction in the installation process or all of it; thus enforcing a “silent” installation. The following sections detail how to configure these settings.

MSI PackagesMSI packages can be configured in three ways—with the Client Packager, using command-line parameters, and through the use of transforms.

To configure an MSI package using the Client Packager

1. Copy the Client Packager (Ica32pkg.msi) from the Components CD to a local directory.

2. Create a share point on a file server that is accessible to your users.


3. Type the following at a command prompt:

Msiexec.exe /a path/ica32pkg.msi

where path/ is the local path where you placed this file in Step 1.

The Client Packager Setup wizard appears.

4. Enter the UNC path to the network share point where you want to store the customized package.

5. Select your compression option and click Next.

6. Select one or more clients to be included in the install package. If you select Program Neighborhood or Program Neighborhood Agent, the Setup wizard for each client appears.

7. On the Upgrade Settings page, choose whether or not the install package can upgrade or downgrade existing clients.

8. On the Select User Dialog Boxes page, specify the dialog boxes displayed to users when they run the install package.

9. Verify your selections on the summary page and click Finish. The install package you specified above is created in the specified UNC path.

To configure an MSI package using command-line parameters

1. On the machine where you wish to install the client package, type the following at a command prompt:msiexec.exe /I path/ica32pkg.msi [Options]where path/ is the location of the MSI package and [Options] can be any of the traditional MSI command-line parameters.

2. Set your options as needed. Examples of some parameters that are supported:

• /qn executes a completely silent installation.

• /qb shows simple progress and error handling.

• /qb-! shows simple progress and error handling without displaying a Cancel button to the user.

• /l*v logfile creates a verbose install log where logfile is the path and filename for where to save the log. Use quotes for a path with spaces.

• PROPERTY=ValueWhere PROPERTY is one of the following all-caps variables (keys) and Value is the value the user should specify.


• PROGRAM_FOLDER_NAME=<Start Menu Program Folder Name>, where <Start Menu Program Folder Name> is the name of the Programs folder on the Start menu containing the shortcut to the Program Neighborhood Agent software. The default value is Citrix\MetaFrame Access Clients. This function is not supported during client upgrades.

• INSTALLDIR=<Installation directory>, where <Installation directory> is the location where the client software is installed. The default value is C:\Program Files\Citrix\ICA Client.

• CLIENT_NAME=<ClientName>, where <ClientName> is the name used to identify the client device to the server farm. The default value is %COMPUTERNAME%.

• ENABLE_DYNAMIC_CLIENT_NAME={Yes | No}. To enable dynamic client name support during silent installation, the value of the property ENABLE_DYNAMIC_CLIENT_NAME in your installer file must be Yes. To disable dynamic client name support, set this property to No. See “Dynamic Client Name Support” on page 71 for more information about this feature.

• CLIENT_UPGRADE={Yes | No}. By default, this property is set to Yes. This installs the client if an earlier version of the client is already installed.

• ENABLE_SSON={Yes | No}. The default value is No. If you enable the SSON (pass-through authentication) property, set the ALLOW_REBOOT property to No to avoid automatic restarting of the client system.

Important If you disable pass-through authentication, users must reinstall the client if you decide to use pass-through authentication at a later time.

• ALLOW_REBOOT={Yes | No}. The default value is Yes.

• DEFAULT_NDSCONTEXT=<Context1 [,…]>. Include this parameter if you want to set a default context for Novell Directory Services (NDS). If you are including more than one context, place the entire value in quotation marks and separate the contexts by a comma.Examples of correct parameters:DEFAULT_NDSCONTEXT=Context1DEFAULT_NDSCONTEXT="Context1,Context2"Example of an incorrect parameter:DEFAULT_NDSCONTEXT=Context1,Context2


• SERVER_LOCATION=<Server_URL>. The default value is Web Server. Enter the URL of the server running the Web Interface. The URL must be in the format http://<servername> or https://<servername>.

Note The Program Neighborhood Agent appends the default path and file name of the configuration file to the server URL. If you change the default location of the configuration file, you must enter the entire new path in the SERVER_LOCATION key.

• CTX_PN_ENABLE_CUSTOMICA = {Yes | No}. By default, this property is set to Yes. Defines whether or not you want to enable the Custom Connection icon in Program Neighborhood.

• CTX_PN_ENABLE_QUICKLAUNCH = {Yes | No}. By default, this property is set to Yes. Defines whether or not you want to enable the Quick Launch Bar in Program Neighborhood.

• CTX_ALLOW_CLIENT_DOWNGRADE={Yes | No}. By default, this property is set to No. This prevents installation of the client over a more recent version. Set to Yes to allow the installation of the client to replace a more recent version. To downgrade to a client version ealier than 9.x, you must also set the REINSTALLMODE property to aums.

• REINSTALLMODE=<mode>. The default for this property is oums. Set to aums to overwrite later versions of the client. See Microsoft Windows Installer documentation for details.

Example of a command-line installation: Using the above procedure, a command-line configuration of your MSI package could resemble:msiexec.exe /I ica32pkg.msi /qb-! /l*v “c:\my logs\ica32_install.log” SERVER_LOCATION=http://mywebinterface

This would:

• Install all clients with visible progress dialogs, but the Cancel button is disabled for the user

• Log the installation messages to “c:\my logs\ica32_install.log”

• Specify the URL (http://mywebinterface) of the server running the Web Interface that the Program Neighborhood Agent will reference

To configure an MSI package using transforms

1. Using your preferred tool for editing Windows Installer packages, open the Client Packager (Ica32pkg.msi).

2. Enter new values for the properties you want to change in the Property table.


3. Generate the transform file and save it with an .mst file extension.

4. To install the MSI package and use the transform you just created, follow the same steps as outlined above in the procedure dealing with command-line installations. Additionally, however, you must add the following PROPERTY=Value option:TRANSFORMS = path\”my.mst”where path is the location of the transform and “my.mst” is its file name.

Important Transforms manipulate the installation process by making changes to the installation database contained within a Windows Installer package. The preceding procedure should only be attempted by those familiar with transforms and their impact upon these settings. For more information, see the MetaFrame Presentation Server Administrator’s Guide.

Self-Extracting ExecutablesYou can also configure installation settings before you deploy the client software as self-extracting executable files. For Program Neighborhood, users can begin using the client immediately without having to configure several of the required settings. The self-extracting executables for Program Neighborhood Agent and the Web Client can also be configured in this way.

Important You can use any standard compression utility to extract the contents of the installer file. However, you must use commercially available software to repackage the contents for distribution to users.

Configuring the Program Neighborhood AgentYou can limit user interaction with the self-extracting executable setup program by entering values in the Install.ini file before you deploy the setup program to your users.

To configure the installation of the Program Neighborhood Agent

1. Extract the client files from Ica32a.exe using your preferred compression utility software, or by typing at a command line: Ica32a.exe -a -unpack:<Directory Location>where <Directory Location> is the path to the directory in which you want to extract the client files.


2. Locate and open the Install.ini file in a text editor.

When you enter values for the following parameters, setup dialog boxes for these options do not appear on the user’s screen.ServerURL= URL for the server running the Web Interface. The default value is Web Server. Enter the URL of the server running the Web Interface in the format http://servername or, for SSL-secured communications, https://servername.SetMachineNameClientName= Enter Yes to accept the Windows machine name as the client device name.Location= Enter the installation location. StartMenu= Enter the Start menu path. The path you enter here is appended to the Programs folder of the Start menu.InstallSingleSignOn= Enter Yes to enable pass-through authentication.

Important If you disable pass-through authentication, users must reinstall the client if you decide to use pass-through authentication at a later time.

AcceptClientSideEULA= Enter Yes to accept the end-user license agreement.

3. Save the file and exit the text editor.

4. Repackage the client files for distribution to your users.

Configuring the Web ClientYou can limit user interaction with the Web Client Setup by suppressing the appearance of the initial user prompt and the Citrix License Agreement.

To configure the installation of the Web Client

1. Extract the client files from Ica32t.exe using your preferred compression utility.

2. Locate and open the Ctxsetup.ini file in any text editor.

3. To suppress the initial user prompt, locate the InitialPrompt parameter. Change the value of the setting from 1 to 0.

4. To suppress the Citrix License Agreement dialog box, locate the DisplayLicenseDlg parameter and set the value to 0.

5. Save the file and exit the text editor.

6. Repackage the client files for distribution to your users.


Configuring Program NeighborhoodYou can customize many Program Neighborhood settings, including default application sets, server location, screen display resolution, and encryption level, among others. General instructions for preconfiguring the client are included below. For definitions of parameters in the client .ini files, see the Configuration Guide for the Clients on the Citrix Web site at http://www.citrix.com/support; select Product Documentation.

Important When Program Neighborhood is installed on a client device, several of the .ini files you can modify are copied to the user’s profile directory. If you modify settings for a new version of Program Neighborhood prior to updating with the Client Auto Update feature, your changes are not migrated to the .ini files under the user’s profile directory.

To configure the installation of Program Neighborhood

1. Obtain a copy of the client installer file (Ica32.exe).

2. Extract the contents of the installer file to a new folder, A.

3. Install the client using the same installer file you used in Step 2.

4. Start the client and customize the client settings, as desired, from the client user interface.

5. When you are done, open the %User Profile%\Application Data\ICAClient folder and copy all files with an .ini extension to a new folder, B.

6. In folder B, replace all .ini file extensions with .src (source) extensions.

7. Copy the contents of folder B to folder A, overwriting the existing .src files in folder A with their modified equivalents from folder B. The contents of folder A now represent your custom installer set of .ini files.

8. Repackage the contents of folder A for distribution to users.

http://www.citrix.com/support


Deploying Your Installation FilesYou can deliver client software to your users using several methods, depending on the size of your organization and the available resources. This section discusses some of the methods by which you can deploy your client installation files. For a detailed discussion of the latest deployment methods available, see the MetaFrame Presentation Server Administrator’s Guide. If you are using MetaFrame Presentation Server in conjunction with the Web Interface, see the Web Interface Administrator’s Guide for information about deploying clients in that environment.

Important MSI packages or self-extracting executable files can be deployed with Windows 2000 Active Directory Services or Microsoft Systems Management Server. See your Windows 2000 or Systems Management Server documentation for more information.

Deploying Clients from a Network Share PointIn many environments, your users can access internal resources from network share points. You can centralize your client deployment from a single network share point, allowing you to provide users with setup files from one location.

Deploying MSI PackagesYou can deploy an MSI package from a network share point. Use the Client Packager to configure your installation settings, as detailed on page 20. During this procedure you can provide a UNC path to the network share point where you want to store the customized MSI package.

Note Active Directory Group Policy can also be used to install the client software or provide the network path to your users. See your Windows 2000 or Systems Management Server documentation for more information.

Deploying Self-Extracting Executable FilesTo deploy a self-extracting executable file from a network share

1. Create a share point on a file server that is accessible to your users.

2. Copy the required client executable from the Components CD to the share point.

3. Supply your users with the path to the executable.

4. Users double-click the executable to begin the installation process.


Deploying the Web Client from a Web PageYou can provide a link in a Web page for users to install the Web Client.

For example, to insert the minimal Web Client in a Web page, add the following code to a Web page to prompt the download of the Wficac.cab file:<OBJECT

classid="clsid:238f6f83-b8b4-11cf-8771-00a024541ee3"

data="np.ica"

CODEBASE="http://web-server-root/some-directory/wficac.cab"

width='640'

height='480'

hspace='2'

vspace='2'>

<param name="Start" value="Auto">

<param name="Border" value="On">

</OBJECT>

Important Add the site(s) from which the .cab file is downloaded to the Trusted Sites zone.

If you are using the Web Client with the Web Interface, see the Web Interface Administrator’s Guide for more information about deploying this client.

Creating Client Installation DisksYou can use the Client Creator to create client installation disks for Program Neighborhood. You need three to four 3.5-inch, 1.44MB floppy disks to create the client installation disks.

To create client installation disks (on servers running Windows 2000)

1. From a server running MetaFrame Presentation Server, select ICA Client Creator from the Citrix group folder. The Make Installation Disk Set dialog box appears.

2. In the Network Client or Service list, select the required client. Select the Format Disks check box to format the disks when creating the installation media. Click OK.

3. Follow the on-screen instructions.


To create client installation disks (on servers running Windows Server 2003)

Client Creator is not available on servers running Windows Server 2003. You must manually copy the files to preformatted floppy disks.

1. In the MetaFrame Presentation Server Component CD, navigate to the folder \ICAINST\en\ica32\disks\.

2. Copy the contents of each numbered folder onto corresponding preformatted floppy disks.

Installation Options for the ClientsFor each MSI package or self-extracting executable, the Setup wizard guides you through the process of installing the client software. When Setup begins, a series of information pages and dialog boxes prompts you to select options and configure the product. In each installation, you must accept the Citrix License Agreement before Setup will continue.

The following section describes the various options you configure during Setup. The options are presented in the order they appear for each client. Depending on the components you choose to install, you may not encounter all configuration options described in this section, or you may encounter them in different order.

Installing the Program Neighborhood AgentWhen users install the Program Neighborhood Agent they are presented with the following options:

Upgrade existing client software. Setup searches the client device for previously installed versions of the Program Neighborhood Agent. If Setup detects a previous installation of the Program Neighborhood Agent, the user can either upgrade the existing client or create a new installation of the Program Neighborhood Agent. The default value is Upgrade the existing client. If you are upgrading with the MSI package, you will not be presented with any further options.

Select Program Folder. Users can choose to use the default MetaFrame Presentation Server Client folder, specify the name of a new program folder, or add the Program Neighborhood Agent icon to an existing folder.

Specify the Server Address. Users must enter the URL of the appropriate server running the Web Interface in the format http://servername (for non-secure connections), or https://servername (for secure connections). Program Neighborhood Agent connects to the server at startup to get the latest configuration information including available published resources and permissions to change local settings.


Enable Pass-Through Authentication. Users must select whether or not to enable and automatically use their local user credentials for Citrix sessions from the client being installed. Pass-through authentication allows the client to access a user’s local Windows user name, password, and domain information and pass it to the server. Users are not prompted to log on to the Program Neighborhood Agent separately. You must enable this logon mode using the Web Interface to make it available to users.

Important If users do not enable pass-through authentication during the installation process, they must reinstall the Program Neighborhood Agent if they decide to use pass-through authentication at a later time.

Specify the Client Name. Servers running MetaFrame Presentation Server use the client name to manage client printers and other system resources. By default, the machine name is used as the client name. If you do not assign a unique machine name to each client device, device mapping and application publishing may not operate correctly.

Important The client name cannot contain the following characters:\/:*?"<>|,.()[]; a blank client name (or a missing registry key) will use the client’s computer name as the client name, and the client name must be less than 20 bytes.

Installing the Web ClientInstalling the Web Client requires minimal user interaction. After a user accepts the Citrix License Agreement, Setup copies files to the client device. By default, the Web Client is installed in the Program Files\Citrix\Icaweb32 directory.

Installing Program Neighborhood When users install Program Neighborhood they are presented with the following options:

Upgrade existing client software. Setup searches the client device for previously installed versions of Program Neighborhood. If Setup detects a previous installation of Program Neighborhood, the user can upgrade the existing client or create a new installation of Program Neighborhood. The default value is Upgrade the existing client. If you are upgrading with the MSI package, you will not be presented with any further options.

Choose Destination Location and Select Program Folder. Users can change the default installation path and the default Program folder.


Specify Client Name. Servers running MetaFrame Presentation Server use the client name to manage client printers and other system resources. By default, the machine name is used as the client name. If you do not assign a unique machine name to each client device, device mapping and application publishing may not operate correctly.

Program Neighborhood Options. Users can enable the Program Neighborhood Quick Launch Bar and Custom ICA Connections.These provide additional methods to connect to MetaFrame Presentation Server. By default, both of these options are enabled.

Enable Pass-Through Authentication. Users must select whether or not to enable and automatically use their local user credentials for Citrix sessions from the client being installed. Pass-through authentication allows the client to access a user’s local Windows user name, password, and domain information and pass it to the server. Users are not prompted to log on to Program Neighborhood separately.

Important If users do not enable pass-through authentication during the installation process, they must reinstall Program Neighborhood if they decide to use pass-through authentication at a later time.


Configuring Client Software

After client software is deployed to your users and they install it, there are configuration steps that can be performed. This chapter discusses these steps for the Program Neighborhood Agent and Program Neighborhood—the Web Client does not require configuration.

Configuring the Program Neighborhood AgentThis section provides an overview of the Program Neighborhood Agent and discusses how to customize user preferences and change the URL of the Web Interface server to which the client device points.

Overview of the Program Neighborhood AgentConfigure the options and settings for Program Neighborhood Agent using the associated Program Neighborhood Agent Site in the Access Suite Console. Each time users log on to the Program Neighborhood Agent, they see the most recent Program Neighborhood Agent configuration. Changes made while users are connected take effect when the client configuration is refreshed manually or automatically after a designated interval.

Important The Program Neighborhood Agent requires the Web Interface for MetaFrame Presentation Server.

Using the Program Neighborhood Agent in conjunction with the Web Interface, you can integrate published resources with users’ desktops. Users access remote applications, desktops, and content by clicking icons on their Windows desktop, from the Start menu, in the Windows notification area, or any combination thereof.


The Program Neighborhood Agent handles the following functions:

• User authentication. The client provides user credentials to the Web Interface when users try to connect and every time they launch published resources.

• Application and content enumeration. The client presents users with their individual set of published resources.

• Application launching. The client is the local engine used to launch published applications.

• Desktop integration. The client integrates a user’s set of published resources with the user’s desktop.

• User preferences. The client validates and implements local user preferences.

For a complete list of Program Neighborhood Agent features, refer to the Client Feature Matrix available from the Client Download page of the Citrix Web site (http://www.citrix.com).

Customizing User PreferencesThis section presents general information about customizing user preferences on the client device running the Program Neighborhood Agent.

To customize user preferences for the Program Neighborhood Agent

1. In the Windows notification area, right-click the Program Neighborhood Agent icon and choose Properties from the menu that appears.

2. On each tab, make the desired configuration changes.

3. Click OK to save your changes.

For more detailed information, see the online help for the Program Neighborhood Agent.



Go to Document Center Chapter 3 Configuring Client Software 35

Changing the URL of the Web Interface ServerThe Program Neighborhood Agent requires the URL to a configuration file (Config.xml is the default configuration file) on the server running the Web Interface. You may ask your users to change the server URL as you create new configuration files or delete old ones.

Tip To prevent users from accidentally changing their server URL, disable the option or hide the Server tab entirely.

To change the server URL in Program Neighborhood Agent

1. In the Windows notification area, right-click the Program Neighborhood Agent icon and choose Properties. The Server tab displays the currently configured URL.

2. Click Change and enter the server URL in the format http://<servername>, or https://<servername> to encrypt the configuration data using SSL.

3. Click Update to apply the change and return to the Server tab.

4. Click OK to close the Properties dialog box.

To delete memorized server URLs


2. Select the Server tab and click Change.

3. Click the down arrow to view the entire list of memorized server URLs.

4. Right-click the URL you want to delete and select Delete.

5. Click Update.

6. Click OK.


Configuring Program Neighborhood Use Program Neighborhood if you are not using the Web Interface to deliver published resources. Program Neighborhood has its own user interface—the Program Neighborhood window—from which users browse for application sets or create custom ICA connections to servers running MetaFrame Presentation Server or to published applications.

This client can be used with the Web Interface. However, if you are planning to use the Web Interface and have not yet deployed any clients, use the Program Neighborhood Agent or the Web Client.

This section explains how to configure Program Neighborhood and dicusses connecting to published resources and improving performance over low-bandwidth connections.

Important Unlike Program Neighborhood Agent, Program Neighborhood cannot be administratively configured in the MetaFrame Access Suite Console. You must configure options for Program Neighborhood using its user interface. For this reason, users running Program Neighborhood must be able to navigate through the interface easily and be able to understand the implications of any changes to their options.

For step-by-step instructions about how to configure Program Neighborhood, see the Program Neighborhood online help.

Connecting to Published ResourcesWith Program Neighborhood, users can connect to published resources and servers running MetaFrame Presentation Server using:

• Application sets

• Custom ICA connections

An application set is a user’s view of the resources published on a given server farm that the user is authorized to access. Resources published in an application set are preconfigured for such session properties as window size, number of colors, supported encryption levels, and audio compression rate.

If these settings are not required to run the published application (such as, for example, the audio compression rate), you can change them on the client device at the application set level.


Important Application set functionality is not available for applications published on servers running MetaFrame Presentation Server for UNIX. To connect to an application published on these servers, users must create a custom ICA connection.

A custom ICA connection is a user-defined shortcut to a published application or server desktop. While you can create custom ICA connections to connect to any server desktop or published application, you must use custom ICA connections to connect to:

• A server running MetaFrame Presentation Server outside of a server farm scope of management

• An application published prior to the installation of a MetaFrame 1.8 server that cannot be migrated into a server farm

• An application published on a server running MetaFrame Presentation Server for UNIX

Applications published in this way are not enabled for automatic configuration of Program Neighborhood sessions.

With Program Neighborhood, users can connect to a server in the server farm using one of the following methods:

• Dialing into a server running MetaFrame Presentation Server using a modem installed on the client device (serial connection).

• Establishing a custom ICA connection over a direct serial cable (serial connection).

• Using the local or wide-area network connection between the client device and the server running MetaFrame Presentation Server. This method uses one of the following network protocols:

• TCP/IP+HTTP

• SSL/TLS+HTTPS

• TCP/IP

• IPX

• SPX

• NetBIOS

Note Remote users can connect to servers running Windows Server 2003 over TCP/IP only. Terminal Services in Windows Server 2003 does not support remote connections over IPX/SPX, NetBIOS, and asynchronous transports.


With Microsoft Remote Access Service (RAS) or Dial-Up Networking (DUN) in combination with the client, users can connect to a server running MetaFrame Presentation Server. For this type of connection, the client device must meet the following requirements:

• The RAS or DUN client software must be installed on the client device

• The RAS server or third-party PPP server must be located on the same network as the server running MetaFrame Presentation Server

ICA BrowsingICA browsing is a process in which a client transmits data to locate servers on the network and get information about the applications published in the server farm.

For ICA browsing, clients communicate with the Citrix XML Service or the ICA browser, depending on the browsing protocol selected in the client.

ICA browsing occurs when:

• Users launch published applications. The client sends a request to locate the application on a server.

• Program Neighborhood users display the Application Set list in the Find New Application Set wizard.

• Program Neighborhood users display the Server or Published Application list in the Add New ICA Connection wizard to create a custom ICA connection.

Communicating with the Citrix XML ServiceCitrix XML Service, a component of MetaFrame Presentation Server, is installed by default on all servers running MetaFrame Presentation Server. The XML Service communicates published application information to clients using HTTP protocol and XML data. The XML Service also communicates published application information to servers running the Web Interface.

For example, when a user launches a published application from Program Neighborhood, the client sends a request for the application. The XML Service responds with the address of a server on which the application is published.

With the Web Interface, for example, a user connects to a Web page using a Web browser. The XML Service provides a list of available resources to the server running the Web Interface. The server then displays the available resources on the user’s personalized application Web page.

For more information about the Citrix XML Service, see the MetaFrame Presentation Server Administrator’s Guide.


Specifying the Network Protocol for ICA BrowsingAs described above, ICA browsing is a process that locates servers and published applications in response to requests from a client. Changing the network protocol setting allows you to control the way the client searches for servers running MetaFrame Presentation Server and how it communicates with them.

For step-by-step instructions about configuring the network protocol, see the Program Neighborhood online help. For more information about using SSL to secure client-to-server communication, see “Configuring and Enabling Clients for SSL and TLS” on page 81.

This section discusses the TCP/IP+HTTP, SSL/TLS+HTTPS, and TCP/IP protocols and their implementation in a server farm. For additional information about configuring server farms for ICA browsing, see the MetaFrame Presentation Server Administrator's Guide included in your MetaFrame Presentation Server media pack.

Important SSL/TLS+HTTPS or TCP/IP+HTTP retrieves information only on a per-server farm basis. To retrieve information from more than one server farm, you must configure server location settings for each application set. For custom ICA connections, you must configure server location settings for each ICA connection. Do not place addresses from separate farms in the same server location list.

Using TCP/IP+HTTP for ICA Browsing Program Neighborhood uses TCP/IP+HTTP as the default network protocol. The client uses the HTTP protocol to search for servers running MetaFrame Presentation Server. Select this protocol when clients connect over the Internet or through a firewall or proxy server.

Using the TCP/IP+HTTP protocol for ICA browsing provides the following advantages for most server farms:

• TCP/IP+HTTP uses XML data encapsulated in HTTP packets that the client sends to port 80 by default. Most firewalls are configured so port 80 is open for HTTP communication.

• TCP/IP+HTTP does not use UDP (User Datagram Protocol) or broadcasts to locate servers in the server farm.

• Routers pass TCP/IP packets between subnets, which allows clients to locate servers that are not on the same subnet.


By default, if no server is specified, the client attempts to resolve the name “ica” to an IP address. This is indicated by the virtual server location “ica” in the Address List box. This feature allows the Domain Name Service (DNS) or Windows Internet Naming Service (WINS) administrator to configure a host record that maps “ica” to a valid server IP address that can service XML requests from clients.

You must map a server running MetaFrame Presentation Server to the default name of “ica” on your network or you must specify at least one IP address in Program Neighborhood.

Tip You can configure the DNS server for the clients to use round-robin DNS to map the name “ica” to a set of servers that can service the XML requests. Use this approach to avoid configuring individually server location addresses on your client devices.

You can specify servers to contact for ICA browsing by entering IP addresses or DNS names of servers running MetaFrame Presentation Server in the Address List box in Program Neighborhood. You can define up to three groups of servers: a primary and two backups. Each group can contain from one to five servers. When you specify a server group for your client, the client attempts to contact all the servers within that group simultaneously and the first server to respond is the one to which you connect.

To locate the Citrix XML Service, the client makes an HTTP connection to port 80 on the server running MetaFrame Presentation Server. If the user is launching a published application, for example, Citrix XML Service sends to the client the address of a server running MetaFrame Presentation Server that has the application published.

Using SSL/TLS+HTTPS for ICA BrowsingWith SSL/TLS+HTTPS as the network protocol, the client uses the HTTPS protocol to search for a list of servers running MetaFrame Presentation Server. The client communicates with the server using ICA with SSL/TLS. SSL/TLS+HTTPS provides strong encryption of ICA traffic and server authentication. Select this option when using SSL or TLS communication over the Internet or through a firewall or proxy server.

Important By default, Internet Information Services (IIS) and SSL/TLS for ICA connections are set to port 443. If your users are configured to use port 443 for IIS, you must specify another port number for SSL Relay after you install the certificate for SSL/TLS.

If you select SSL/TLS+HTTPS as the network protocol, you must enter the fully qualified domain name of the server hosting the digital certificate.


Note The TCP/IP+HTTP and SSL/TLS+HTTPS protocols can be used only with compatible servers running MetaFrame Presentation Server. See the MetaFrame Presentation Server Administrator’s Guide for Windows or UNIX for information about configuring the server running MetaFrame Presentation Server to use SSL/TLS.

Using TCP/IP for ICA BrowsingWith TCP/IP as the network protocol, clients send UDP broadcasts to the ICA browser service on port 1604 to locate published applications and servers running MetaFrame Presentation Server. Select this option if all servers running MetaFrame Presentation Server and all clients are located on the same network.

Note The term “master” browser refers to a browser located on a data collector.

With TCP/IP as the network protocol, the default setting for server location is (Auto-Locate). The auto-locate function works as follows:

• The client broadcasts a “Get Nearest MetaFrame server” packet. The first server running MetaFrame Presentation Server to respond returns the address of the master browser, which is used in the next step.

• The client sends a request for the server and published application lists to the master browser.

• The master browser responds with a list of all servers on the network running MetaFrame Presentation Server and a list of all published applications.

To eliminate broadcasts on your network, or if your network configuration uses routers or gateways, you can set a specific server address for the server that functions as the master browser.

Important By default, server farms operating in native mode do not respond to clients that use UDP broadcasts for ICA browsing. Therefore, if clients are configured to use TCP/IP and to auto-locate servers, they will fail to locate servers or published applications in a server farm running MetaFrame XP or MetaFrame Presentation Server.

Because UDP broadcast packets do not traverse subnets, using broadcasts for ICA browsing works only if a server that responds to broadcasts is on the same subnet as the client. When the client locates a server, it communicates using directed (not broadcast) UDP to port 1604.


Because of broadcast limitations, you might prefer to enter one or more IP addresses or DNS names of servers running MetaFrame Presentation Server in the Address List box in Program Neighborhood. You must do this if the client is not on the same subnet as a data collector.

Improving Performance over Low-Bandwidth ConnectionsIf you are using a low-bandwidth connection, such as a modem, you can make a number of changes to your client configuration and the way you use the client to improve performance.

In addition, Citrix recommends that you use the latest version of MetaFrame Presentation Server and its clients. Citrix continually enhances and improves performance with each release. Many performance features require the latest client and server software to function.

Changing Your Client ConfigurationOn devices with limited processing power, or in circumstances where only limited bandwidth is available, there is a trade-off between performance and functionality. The client provides both user and administrator with the ability to choose an acceptable mixture of rich functionality and interactive performance. Making one or more of these changes can reduce the bandwidth your connection requires and improve performance:

• Enable data compression. Compression reduces the size of the data that is transferred over the ICA connection. Enable compression and specify the maximum compression parameter.

• Enable the bitmap cache. Bitmap caching stores commonly used bitmaps (images) locally on your client so that they do not have to be transferred over the ICA connection every time they are needed.

• Queue mouse movements and keystrokes. When queuing is enabled, the client sends mouse and keyboard updates less frequently to the server running MetaFrame Presentation Server. Enabling this option improves performance only if you are using a low-bandwidth connection.

• Enable SpeedScreen latency reduction. SpeedScreen latency reduction improves performance over high latency connections by providing instant feedback to the user in response to typed data or mouse clicks.

• Reduce the window size. Change the window size to the minimum size you can comfortably use.

• Reduce the number of colors. Reduce the number of colors to 256.


• Reduce sound quality. If client audio mapping is enabled, reduce the sound quality to the minimum setting.

Changing Client UseICA technology is highly optimized and typically does not have high CPU and bandwidth requirements. However, if you are using a very low-bandwidth connection, the following tasks can impact performance:

• Accessing large files using client drive mapping. When you access a large file with client drive mapping, the file is transferred over the ICA connection. On slow connections, this may take a long time.

• Printing large documents on local client printers. When you print a document on a local client printer, the print file is transferred over the ICA connection. On slow connections, this may take a long time.

• Playing multimedia content. Playing multimedia content uses a lot of bandwidth and can cause reduced performance.


Optimizing the Client Environment

The following sections discuss ways you can optimize the environment in which your MetaFrame Presentation Server Clients will operate.

Ways in which this can be done include:

• Securing your client connections

• Improving client performance

• Facilitating the connection of numerous types of client devices to published resources

• Improving the user experience

• Utilizing connections to MetaFrame Presentation Server for UNIX

• Supporting naming conventions

Securing Your Client ConnectionsTo maximize the security of your environment, the connections between MetaFrame Presentation Server Clients and the resources you have published must be secured. This section discusses how to configure various types of authentication for your client software.

Windows NT Challenge/Response (NTLM) SupportSupport for networks using Windows NT Challenge/Response (NTLM) for security and authentication was introduced in Version 7.0 of the clients. NTLM authentication is supported by default on machines running Windows NT, Windows 2000, and Windows XP.


On client devices running Windows 95, Windows 98, and Windows Me, manually enable the User Control Package to use NTLM authentication. Change this by going to Control Panel > Network > Access Control. On the Access Control screen, select User-level access control. If the User Control Package is not enabled, the client uses basic authentication, not NTLM authentication.

Certificate Revocation List CheckingWhen certificate revocation list checking is enabled, the clients check whether or not the server’s certificate is revoked. By forcing clients to check this, you can improve the cryptographic authentication of the server running MetaFrame Presentation Server and the overall security of the SSL/TLS connections between a client and a server running MetaFrame Presentation Server.

You can enable several levels of certificate revocation list checking. For example, you can configure the client to check only its local certificate list or to check the local and network certificate lists. In addition, you can configure certificate checking to allow users to log on only if all Certificate Revocation Lists are verified.

To enable certificate revocation list checking

1. On the server running the Web Interface, locate and open the Default.ica file.

2. Configure the SSLCertificateRevocationCheckPolicy setting to one of the following options:

• NoCheck - No certificate revocation list checking is performed

• CheckWithNoNetworkAccess - The local list is checked

• FullAccessCheck - The local list and any network lists are checked

• FullAccessCheckAndCRLRequired - The local list and any network lists are checked; users can log on if all lists are verified

If you do not set SSLCertificationRevocationCheckPolicy, it defaults to NoCheck for Windows NT 4.0. For Windows XP, Windows 2000 Server, and Windows Server 2003, the default setting is CheckWithNoNetworkAccess.

Smart Card SupportMetaFrame Presentation Server smart card support is based on Microsoft Personal Computer/Smart Card (PC/SC) standard specifications. MetaFrame Presentation Server supports only smart cards and smart card devices that are, themselves, supported by the underlying Windows operating system. A discussion of security issues related to PC/SC standards compliance is beyond the scope of this document.

Enabling smart card support for Program Neighborhood Agent is done with the Web Interface. For more information, see the Web Interface Administrator’s Guide.

Go to Document Center Chapter 4 Optimizing the Client Environment 47

To select smart card-based logon (Program Neighborhood)

1. For an application set, select the application set and click Properties on the Program Neighborhood toolbar. For a custom ICA connection, select the custom ICA connection and click Settings on the Program Neighborhood toolbar.

2. From the Logon Information tab, select Smart Card.

3. Select Pass-through authentication to cache the PIN and pass it to the server every time the user requests a published resource.

Note Microsoft strongly recommends that only smart card readers tested and approved by the Microsoft Windows Hardware Quality Lab (WHQL) be used on computers running qualifying Windows operating systems. Visit http://www.microsoft.com/ for additional information about hardware PC/SC compliance.

MetaFrame Presentation Server does not control smart card PIN management. PIN management is controlled by the cryptographic service provider for your cards.

SSPI/Kerberos Security for Pass-Through AuthenticationRather than sending user passwords over the network, pass-through authentication now leverages Kerberos authentication in combination with Security Support Provider Interface (SSPI) security exchange mechanisms. Kerberos is an industry-standard network authentication protocol built into Microsoft Windows operating systems.

Kerberos logon offers security-minded users or administrators the convenience of pass-through authentication combined with secret-key cryptography and data integrity provided by industry-standard network security solutions. With Kerberos logon, the client does not need to handle the password and thus prevents Trojan horse-style attacks on the client device to gain access to users’ passwords.

Users can log on to the client device with any authentication method, for example, a biometric authenticator such as a fingerprint reader, and still access published resources without further authentication.

System requirements. Kerberos logon requires MetaFrame Presentation Server 3.0 or 4.0 and MetaFrame Presentation Server Clients for 32-bit Windows 8.x or 9.x. Kerberos works only between clients and servers that belong to the same or to trusted Windows 2000 or Windows 2003 domains. Servers must also be trusted for delegation, an option you configure through the Active Directory Users and Computers management tool.

Kerberos logon is not available in the following circumstances:



• Connections configured with any of the following options in Terminal Services Configuration:

• On the General tab, the Use standard Windows authentication option

• On the Logon Settings tab, the Always use the following logon information option or the Always prompt for password option

• Connections you route through the Secure Gateway for MetaFrame Presentation Server

• If the server running MetaFrame Presentation Server requires smart card logon

• If the authenticated user account requires a smart card for interactive logon

Important SSPI requires XML Service DNS address resolution to be enabled for the server farm, or reverse DNS resolution to be enabled for the Active Directory domain. For more information, see the MetaFrame Presentation Server Administrator’s Guide.

Configuring Kerberos Authentication The client, by default, is not configured to use Kerberos authentication when logging on to the server. You can set the client configuration to use Kerberos with or without pass-through authentication. Using Kerberos without pass-through authentication is more secure than using Kerberos with pass-through authentication.

Kerberos without Pass-Through AuthenticationWith this configuration, the user logs on using Kerberos authentication only. If Kerberos logon fails for any reason, the user is prompted for credentials. Kerberos can fail due to a missing operating system requirement, such as the requirement that the server be trusted for delegation. This configuration is supported only for Web Interface or custom ICA connections made through Program Neighborhood. For Program Neighborhood application sets and the Program Neighborhood Agent, the user is prompted for credentials.

To deploy Kerberos without pass-through authentication, Citrix recommends that you create a "Kerberos only" client package using the MetaFrame Presentation Server Client Packager. To create a client package, you can execute Autorun.exe on the Components CD and select the option to create a custom Windows client installation package. During Setup, configure clients to use the local name and password to log on and select the option Use Kerberos only.


Tip During the Client Packager Setup, you can select dialog boxes that you want to be displayed to users. Accept the default configuration that the “Single Sign On” dialog box is Hidden. Otherwise, users can override your configuration and set their client configuration to use pass-through authentication.

You can also configure Kerberos by modifying the settings of the Wfclient.ini file in the Citrix\ICA Client directory on a client device. For this method of configuration, you must modify Wfclient.ini on each client device for which you want to use Kerberos without pass-through authentication.

To configure the Wfclient.ini file on the client device for Kerberos logon

1. Ensure that the Wfclient.ini has the setting SSPIEnabled=off.

2. From Program Neighborhood, open ICA Settings from the Tools menu, clear Pass-Through Authentication, and click OK.

3. Log off from the client device and log back on.

4. With a text editor, open the Wfclient.ini from the Citrix\ICA Client directory and modify the following settings to:

SSPIEnabled=on

UseSSPIOnly=on

5. From Program Neighborhood, open ICA Settings from the Tools menu. Pass-Through Authentication is now selected.

6. Select Use local credentials to log on.

Kerberos with Pass-Through AuthenticationYou must use Kerberos with pass-through authentication if you want to use Kerberos with Program Neighborhood application sets or with Program Neighborhood Agent.

When client configurations are set to use Kerberos with pass-through authentication, the client attempts to use Kerberos authentication first and uses pass-through authentication if Kerberos fails.

Caution This configuration is less secure than using Kerberos without pass-through authentication. The user cannot disable this client configuration from the user interface.


You can configure a client device to use Kerberos with pass-through authentication by modifying the settings of the Wfclient.ini file in the Citrix program files on a client device. Change SSPIEnabled=off to SSPIEnabled=on in the [WFClient] section of Wfclient.ini.

If you change these settings for use with the Program Neighborhood Agent, the Program Neighborhood Agent must be closed and restarted on the client device for the settings to be applied.

Improving Client PerformanceThe following section discusses improving the performance of your client software by enabling SpeedScreen browser acceleration, auto-client reconnections, session reliability, and by utilizing the Program Neighborhood Quick Launch Bar.

SpeedScreen Browser AccelerationFor users running Internet Explorer 5.5 through 6.0, Service Pack 1, you can enhance the speed at which images are downloaded and displayed. To enable SpeedScreen browser acceleration, set SpeedScreenBA to ON (or OFF to disable it) in your .ica file.

SpeedScreen browser acceleration must be enabled on the server to be available to the client. If SpeedScreen browser acceleration is enabled on the client, but not the server, SpeedScreen browser acceleration is effectively disabled.

Auto-Client ReconnectUsers can be disconnected from their ICA sessions because of unreliable networks, highly variable network latency, or range limitations of wireless devices. With the auto-client reconnection feature, the client can detect unintended disconnections of ICA sessions and automatically reconnect users to the affected sessions.

When this feature is enabled on a server running MetaFrame Presentation Server, users do not have to reconnect manually to continue working. The client attempts to reconnect to the session until there is a successful reconnection or the user cancels the reconnection attempts. If user authentication is required, a dialog box requesting credentials is displayed to a user during automatic reconnection. Automatic reconnection does not occur if users exit applications without logging off. Users can reconnect only to disconnected sessions.


Tip To disable auto-client reconnect for a particular user, add the following line to the [WFClient] section of the Appsrv.ini file located in the user’s %User Profile%\Application Data\ICA Client directory:TransportReconnectEnabled=Off

Session ReliabilityWith session reliability, users continue to see a published application’s window if the connection to the application experiences an interruption. For example, wireless users entering a tunnel may lose their connection when they enter the tunnel and regain it when they come out on the other side. During such interruptions, the session reliability feature enables the session window to remain displayed while the connection is being restored.

To reduce the likelihood that users continue to click links or type text while the connection is being restored, mouse pointers become hourglass icons while the application is unresponsive.

Users of Program Neighborhood can control session reliability in their application or connection settings. Enabling or disabling Enable session reliability at the client overrides the session reliability settings for the server farm. Users of Program Neighborhood Agent and the Web Client cannot override the server settings for session reliability.

To enable session reliability in Program Neighborhood, select Enable session reliability on the Options tab of the Settings for the application set.

Program Neighborhood Quick Launch BarThe Program Neighborhood Quick Launch Bar can be used, for example, to allow administrators to quickly access server desktops for administrative purposes. This type of access can also be obtained through the application set wizard or by creating a new custom ICA connection, but the Quick Launch Bar enables administrators to establish a connection with a server by simply entering its name or IP address, then clicking Go.

This option is available by selecting Enable Quick Launch Bar in the Program Neighborhood Options screen of the installation wizard. The Quick Launch Bar is configured by selecting the Options button that appears next to the address bar in the Program Neighborhood user interface. For more information about configuring this feature, see the Program Neighborhood online help.


Connecting Client Devices and Published ResourcesThe following sections discuss how you can facilitate ICA sessions and optimize the connection of your client devices to resources published in the server farm. This can be achieved by utilizing the workspace control feature, understanding how your client drives and devices are mapped by MetaFrame Presentation Server, and enabling extended parameter passing. Beginning with Version 9.x, your MetaFrame Presentation Server Client can also synchronize to tethered PDA devices and support local TWAIN devices for use with published applications.

Workspace Control Workspace control provides users with the ability to quickly disconnect from all running applications, reconnect to applications, or log off from all running applications. You can move between client devices and gain access to all of your applications when you log on. For example, health care workers in a hospital can move quickly between workstations and access the same set of applications each time they log on to MetaFrame Presentation Server. These users can disconnect from multiple applications at one client device and open all the same applications when they reconnect at a different client device.

Important Workspace control is available only to users connecting to published resources with Program Neighborhood Agent or through the Web Interface.

User policies and client drive mappings change appropriately when you move to a new client device. Policies and mappings are applied according to the client device where you are currently logged on to the session. For example, if a health care worker logs off from a client device in the emergency room of a hospital and then logs on to a workstation in the hospital’s X-ray laboratory, the policies, printer mappings, and client drive mappings appropriate for the session in the X-ray laboratory go into effect for the session as soon as the user logs on to the client device in the X-ray laboratory.

Important Workspace control cannot be used with earlier versions of the clients for 32-bit Windows and works only with sessions connected to servers running MetaFrame Presentation Server Version 3.0 or 4.0..


To configure workspace control settings

If the workspace control configuration settings of the Presentation Server Console or the Web Interface Console are configured to allow users to override the server settings, users can configure workspace control in the Settings options of the Web Interface or the Reconnect Options tab of Program Neighborhood Agent Properties.

The following options are available in Program Neighborhood Agent Properties on the Reconnect Options tab:

• Enable automatic reconnection at logon allows users to reconnect to disconnected applications or both disconnected and active applications

• Enable automatic reconnection from Reconnect menu allows users to reconnect to disconnected applications or both disconnected and active sessions

For users launching applications through the Web Interface, similar options are available from the Settings page:

• Enable automatic reconnection at logon allows users to reconnect to disconnected applications or both disconnected and active applications

• Enable automatic reconnection from Reconnect menu allows users to reconnect to disconnected applications or both disconnected and active sessions

• Customize Log Off button allows users to configure whether or not the log off command will include logging them off from applications that are running in the session

If users log on with smart card, or smart card with pass-through authentication you must set up a trust relationship between the server running the Web Interface and any other server in the farm that the Web Interface accesses for published applications. For more information about workspace control requirements and server configuration, see the MetaFrame Presentation Server Administrator’s Guide or the Web Interface Administrator's Guide.

PDA Synchronization with Tethered USB ConnectionsThis feature allows the synchronization of a USB PDA device to a MetaFrame Presentation Server Client device. This feature supports USB-tethered and Microsoft Windows powered PDAs, which use ActiveSync as a synchronization agent.

Support for this feature is controlled in the Presentation Server Console with the policy Client Devices > Resources > PDA Devices >Turn on automatic virtual COM port mapping, which should be set to Enabled. Users can configure other settings for this feature by selecting the PDA Security button in the Program Neighborhood Connection Center.


TWAIN Redirection Support TWAIN redirection support allows users to transparently control client-attached TWAIN imaging devices with applications that reside on the server farm. To use this feature, a TWAIN device must be attached to the client device and the associated 32-bit TWAIN driver must also be installed on the client device.

Administrators can enable or disable this feature from a new Client Device policy rule in the MetaFrame Presentation Server Console (Client Devices > Resources > Other > Configure TWAIN redirection). Additionally, lossy (JPEG) compression can be enabled in this policy along with choosing a high, medium, or low level of compression, if selected. A second policy rule that has been added to facilitate the administration of this new feature is Bandwidth > Sesson Limits > TWAIN Redirection. This policy allows the specification of a maximum amount of bandwidth (in kilobits/second) that may be used for TWAIN redirection.

Mapping Client DevicesThe MetaFrame Presentation Server Client supports mapping devices on client devices so they are available from within an ICA session. Users can:

• Transparently access local drives, printers, and COM ports

• Cut and paste between the ICA session and the local Windows clipboard

• Hear audio (system sounds and .wav files) played from the ICA session

During logon, the client informs the server running MetaFrame Presentation Server of the available client drives, COM ports, and LPT ports. By default, client drives are mapped to server drive letters and server print queues are created for client printers so they appear to be directly connected to the server running MetaFrame Presentation Server. These mappings are available only for the current user during the current session. They are deleted when the user logs off and recreated the next time the user logs on.

You can use the net use and change client commands to map client devices not automatically mapped at logon.

Turning off Client Device MappingsOn the server running MetaFrame Presentation Server, you can specify client device mapping options in the Client Settings dialog box in the Citrix Connection Configuration tool. The tool is available from the ICA Administrator Toolbar on the server running MetaFrame Presentation Server.

The Connection options control whether or not drives and printers are mapped to client drives and printers. If these options are cleared, the devices are still available but must be mapped to drive letters and port names manually.


Use the Client Mapping Overrides options to disable client device connections.

Mapping Client DrivesClient drive mapping allows drive letters on the server running MetaFrame Presentation Server to be redirected to drives that exist on the client device. For example, drive H in a Citrix user session can be mapped to drive C of the local device running the client.

Client drive mapping is transparently built into the standard Citrix device redirection facilities. To File Manager, Windows Explorer, and your applications these mappings appear like any other network mappings.

Important Client drive mapping is not supported when connecting to MetaFrame Server 1.0 for UNIX operating systems.

The server running MetaFrame Presentation Server can be configured during installation to automatically map client drives to a given set of drive letters. The default installation mapping maps drive letters assigned to client drives starting with V and works backwards, assigning a drive letter to each fixed disk and CD-ROM drive. (Floppy drives are assigned their existing drive letters.) This method yields the following drive mappings in a client session:

Option Description

Connect Client Drives at Logon

The client device drives are mapped automatically at logon.

Connect Client Printers at Logon

The client device printers are mapped automatically at logon. This option applies only to Windows clients and maps only printers already configured in Print Manager on the client device.

Default to Main Client Printer

The user’s default client printer is configured as the default printer for the ICA session.

(inherit user config)

The per-user settings in User Manager override these settings.

Client drive letterIs accessed by the server running MetaFrame Presentation Server as:

A A

B B

C V

D U


The server running MetaFrame Presentation Server can be configured so that the server drive letters do not conflict with the client drive letters; in this case the server drive letters are changed to higher drive letters. For example, changing server drives C to M and D to N allows client devices to access their C and D drives directly. This method yields the following drive mappings in a client session:

The drive letter used to replace the server drive C is defined during Setup. All other fixed disk and CD-ROM drive letters are replaced with sequential drive letters (for example; C->M, D->N, E->O). These drive letters must not conflict with any existing network drive mappings. If a network drive is mapped to the same drive letter as a server drive letter, the network drive mapping is not valid.

When a client device connects to a server running MetaFrame Presentation Server, client mappings are reestablished unless automatic client device mapping is disabled. Automatic client device mapping can be configured for ICA connections and users. In the Citrix Connection Configuration tool’s Client Settings dialog box, you can enable or disable automatic client device mapping for an ICA connection. The User Configuration dialog box in User Manager for Domains allows you to enable or disable automatic client device mapping for a user.

Mapping Client PrintersThe MetaFrame Presentation Server Client supports auto-created printers. With auto-created printers, users find their local printers mapped to their sessions and ready for use as soon as they connect.

Published applications and ICA server connections configured to run a specified initial program offer users the same access to their local printers. When connected to published applications, users can print to local printers in the same way they would print to a local printer when using local applications.

Important For information about configuring client printing on servers running MetaFrame Presentation Server for UNIX, see the MetaFrame Presentation Server for UNIX Administrator’s Guide.

Client drive letterIs accessed by the server running MetaFrame Presentation Server as:

A A

B B

C C

D D


If the Connect Client Printers at Logon check box is selected in the terminal connection or user profile, the client printers are automatically connected when users log on and are deleted when they log off if the printers do not contain any print jobs. If print jobs are present, the printers (and the associated print jobs) are retained.

If you do not want a user’s automatically created printers to be deleted when the user logs off, modify or delete the Auto Created Client Printer entry in the Comment field of a client printer’s Properties dialog box. If you modify or delete this description, the printer is not deleted when the user logs off. Each time the user logs on, the printer that is already defined is used. If users change the Windows printer settings, they will not be set automatically. If users have custom print settings, you may not want to delete the automatically created printers.

If your user and terminal connection profile do not specify Connect Client Printers at Logon, you can use the Add Printer wizard to connect to a client printer. These printers are not deleted automatically when you log off.

To view mapped client printers

While connected to the server running MetaFrame Presentation Server, from the Start menu, choose Settings > Printers. The Printers window opens:

This screen capture shows the Printers window with three objects available: Add Printer, Acrobat Distiller, and a printer named MNICHOLS#Laser.

The Printers screen displays the local printers mapped to the ICA session. The name of the printer takes the form clientname#printername, where clientname is the unique name given to the client device during client Setup and printername is the Windows printer name. In this example ICA session, a client device called “MNICHOLS” has access to its local printer named “Laser.” This name cannot be changed and is used to locate the specific printer. Because the Windows printer name is used and not the port name (as with DOS Client printing), multiple printers can share a printer port without conflict.

Mapping Client COM PortsClient COM port mapping allows devices attached to the COM ports of the client device to be used during ICA sessions on a server running MetaFrame Presentation Server. These mappings can be used like any other network mappings.


Note Client COM port mapping is not supported when connecting to MetaFrame Server 1.0 and 1.1 for UNIX Operating Systems.

To map a client COM port

1. Start the client and log on to the server running MetaFrame Presentation Server.

2. At a command prompt, enter

net use comx: \\client\comz:

where x is the number of the COM port on the server (ports 1 through 9 are available for mapping) and z is the number of the client COM port you want to map.

3. To confirm the operation, enternet useat a command prompt. The list that appears contains mapped drives, LPT ports, and mapped COM ports.To use this COM port in a session on a server running MetaFrame Presentation Server, install your device to the mapped name. For example, if you map COM1 on the client to COM5 on the server, install your COM port device on COM5 during the session on the server. Use this mapped COM port as you would a COM port on the client device.

Note COM port mapping is not TAPI-compatible. TAPI devices cannot be mapped to client COM ports.

Mapping Client AudioClient audio mapping enables applications executing on the server running MetaFrame Presentation Server to play sounds through a Windows-compatible sound device installed on the client device. You can set audio quality on a per-connection basis on the server running MetaFrame Presentation Server and users can set it on the client device. If the client and server audio quality settings are different, the lower setting is used.

Client audio mapping can cause excessive load on the servers running MetaFrame Presentation Server and the network. The higher the audio quality, the more bandwidth is required to transfer the audio data. Higher quality audio also uses more server CPU to process.


You control the amount of bandwidth client audio mapping uses from the Citrix Connection Configuration tool. This tool lets you choose among three different audio quality settings and you can disable client audio mapping altogether. See the MetaFrame Presentation Server Administrator’s Guide for more information about client audio mapping.

Note Client sound support mapping is not supported when connecting to MetaFrame Server 1.0 and 1.1 for UNIX.

Enabling Extended Parameter PassingWith extended parameter passing you can associate a file type on a client device with an application published on a server running MetaFrame Presentation Server. When a user double-clicks a locally saved file, the file is opened by the application associated with it on the server running MetaFrame Presentation Server.

For example, if you associate all text-type files on the client device with the application “Notepad” published on the server running MetaFrame Presentation Server, opening a locally saved text-type file on the client device causes Notepad to open on the server running MetaFrame Presentation Server.

Important The Program Neighborhood Agent supports content redirection, a feature introduced in MetaFrame XP, Feature Release 2. Functionally equivalent to extended parameter passing, content redirection allows you to enforce all underlying file type associations from the server running MetaFrame Presentation Server, eliminating the need to configure extended parameter passing on individual client devices. If all users are running the Program Neighborhood Agent, and if you want to take advantage of the administrative ease of content redirection from client to server, see the MetaFrame Presentation Server Administrator’s Guide for more information.

Enabling extended parameter passing requires both server- and client-side configuration. On the server, add the %* (percent and asterisk symbols) tokens to published applications. These tokens act as placeholders for client-passed parameters. For instructions about configuring support for parameter passing, see the MetaFrame Presentation Server Administrator’s Guide.

On the client side, you must replace the open command for the file type with a command line that passes the file name and path to the server running MetaFrame Presentation Server. You must enable extended parameter passing on each client device you want to use this feature.


Configuring Extended Parameter PassingFile type association data is stored in the Windows registry. To associate a file type on the client device with the published application, you need to replace the open command for the file type with a command line that passes the file name and path to the application published on the server running MetaFrame Presentation Server.

Important MetaFrame Presentation Server supports the ISO8859-1 character code for western European languages, including English, and the ShiftJIS character code for Japanese. You must use one of these two character codes to establish file type associations.

The command line you create must include the following elements:

• The file name of the client executable used to launch the published application

• The name of the published application to launch, in the correct syntax

• The parameter passing arguments

The next section explains how to determine which client executable to include in the command line.

Determining the Client ExecutableUsers can connect to published applications using the following methods:

• Finding and launching an application in an application set using Program Neighborhood

• Creating and launching a custom ICA connection using Program Neighborhood

• Launching an .ica file (.ica files are placed on the client device when the user connects using the Web Interface)

Each of these methods launches the published application using a different executable on the client device. The following table lists which executable you must include in the parameter passing command line based on the user’s connection method.

Connection method ICA Client executable

Custom ICA connections (using Program Neighborhood Client) Wfcrun32.exe

Applications identified in ICA files (including connecting using the Web Interface)

Wfica32.exe

Applications in application sets (using Program Neighborhood) Pn.exe


The following section explains how to identify the published application with the correct syntax.

Identifying Published ApplicationsEach client executable uses different command line syntax to specify configuration data when launching published applications. When creating your command line, you must use the command line syntax to correctly identify the published application.

Note To view the required command line syntax for an executable from a command prompt, change directories to the installation directory of the client and then type the name of the executable followed by /? (forward slash question mark).

Command Line Syntax for Wfcrun32.exeTo use Wfcrun32.exe to launch a custom ICA connection, specify:“<installdir>”\wfcrun32.exe “<application name>”where “<installdir>” is your Citrix client installation directory; for example, C:\Program Files\Citrix\ICA Client.

Command Line Syntax for Wfica32.exeTo use Wfica32.exe to launch a published application described in an ICA file, specify:

“<installdir>”\wfica32.exe <file_name>.ica

Command Line Syntax for Pn.exeTo use Pn.exe to launch a custom ICA connection, specify:“<installdir>”\pn.exe /app:“<application name>”To use Pn.exe to launch an application published in an application set, specify:“<installdir>”\pn.exe /pn:“<application set name>” /app:“<application name>”


Including Parameter Passing ArgumentsWhen you determine the launching executable and identify the application, you must include the parameter passing arguments /param:“%1”.

The sample command line below associates text-type files with the published application “Notepad Text Editor” in the application set “Production Farm”.

“<installdir>”\pn.exe /pn:“Production Farm” /app:“Notepad Text Editor” /param:“%1”

Entering Parameter Passing in the Windows RegistryWhen you assemble the required elements of the new command line, you must enter the new command in the Windows registry. You can access the open command for the file types you want to associate through the Folder Options dialog box in Control Panel. For instructions about editing the open command for a file type, see the online Help for the Windows operating system of the client device.

The following example command lines combine the required elements into a working client command line.

To associate text files with a custom published application named “Notepad Text Editor” launched using Pn.exe, specify:

“<installdir>”\pn.exe /app:“Notepad Text Editor” /param:“%1”

To associate text files with an application named “Notepad Text Editor” that is published in an application set called “Production Farm,” specify:

“<installdir>”\pn.exe /pn:“Production Farm” /app:“Notepad Text Editor” /param:“%1”

To associate text files with a custom published application named “Notepad Text Editor” launched using Wfcrun32.exe, specify:

“<installdir>”\wfcrun32.exe “Notepad Text Editor” /param:“%1”

To associate text files with an application identified in an ICA file named Notepad.ica, using Wfica32.exe as the launching executable, specify:

“<installdir>”\wfica32.exe Notepad.ica /param:“%1”

Important The above examples assume that the client devices are connecting to servers running MetaFrame Presentation Server that contain remapped server drives. If your server drives are not remapped, you must add the following text to the argument: \\client\; for example: /param:“\\client\%1”.


Improving the User ExperienceThe following sections discuss the ways that MetaFrame Presentation Server Clients can be utilized for an improved user experience. Among these are improved support for client-side microphone input, multiple monitors, print performance, and Windows key combinations.

Digital Dictation SupportMetaFrame Presentation Server supports client-side microphone input. This allows you to publish dictation software for use in client sessions. Using local microphones, including a number of Philips SpeechMike speech processing devices, users can record dictations with applications running on the server.

For example, a user away from the office can establish a client session to record notes using a laptop. Later in the day the user can retrieve the notes for review or transcription from the desktop device back at the office.

Digital dictation support is available with MetaFrame Presentation Server Advanced and Enterprise Editions. For information about configuring this feature, see the MetaFrame Presentation Server Administrator’s Guide.

Users of Program Neighborhood and Program Neighborhood Agent can disable their microphones by selecting No in the Client Audio Security dialog box available from the Program Neighborhood Connection Center, or from the client’s system menu (for non-seamless connections). Web Client users are presented with the same dialog box automatically at the beginning of their sessions.

On the client, users control audio input and output in a single step—by selecting an audio quality level from the Settings dialog box (for Program Neighborhood) or from the Properties dialog box (for Program Neighborhood Agent).

Important When using the Winscribe software with a Philips foot pedal device, you do not need to configure the Winscribe software to use a foot pedal; it works automatically.


Configuring Multiple MonitorsMultiple monitors are fully supported when the client is configured to connect to seamless applications.

To enable multiple monitor support, ensure the following:

• The client device must have multiple video boards compatible with the client on the appropriate Windows platform, or a single video board that can support connections to more than one monitor.

• The client operating system must be able to detect each of the monitors. To verify that this detection occurred, on the client device, view the Settings tab in the Display Properties dialog box and confirm that each monitor appears separately.

• After your monitors are detected, right-click on the server in the Presentation Server Console and go to Properties > ICA Settings and set the Maximum memory to use for each session’s graphics setting to a large enough size (in kilobytes) to incorporate the client’s entire virtual desktop. If this setting is not high enough, the seamless application is restricted to the subset of the monitors that fits within the size specified.

Improving Print PerformanceVersion 9.x of the MetaFrame Presentation Server Clients now offer improved print performance. The following sections discuss how this is accomplished with an advanced universal print driver (UPD) and print provider and port monitor improvements.

Advanced Universal Print DriverThe Universal Print Driver (UPD) that supports MetaFrame Presentation Server Client print performance has been improved and now uses Windows’ Enhanced Metafile Format (EMF) technology. EMF is a device-independent format for recording the graphical elements printed on each page of a print job. A client-side renderer uses EMF and provides a substantial reduction in the processing time of UPD print jobs on the client.

When a client device attempts to run a print job through the UPD, an EMF Print Previewer is displayed. This application provides a graphical representation of the pages that will be printed. Users can preview the print job in this previewer before sending the job to the client printer.


Print Provider and Port Monitor ImprovementsA number of improvements in the naming of auto-created client printers and the ports to which they are bound have been added. Policies and properties settings for administering these enhancements are accessed in the MetaFrame Presentation Server Console under the Printing node.

Note For more information about administering print management features, see the MetaFrame Presentation Server Administrator’s Guide.

Client Session Support for Windows Key CombinationsProgram Neighborhood and Program Neighborhood Agent now allow the pass-through of Windows keyboard shortcuts within a remote client session. Users must select the target to which the key combinations apply. In the ICA Settings dialog box, the following options can be selected for Apply Windows key combinations:

• In full screen desktops only—the key combinations apply to the session only when it is in full-screen mode

• On the remote desktop—the key combinations apply to the session when its windows has the keyboard focus

• On the local desktop—the key combinations always apply to the local desktop

Supporting NDS UsersWhen launching client software, users can log on and be authenticated using their NDS credentials. Supported NDS credentials are user name (or distinguished name), password, directory tree, and context.

NDS support is integrated into the following:

• Program Neighborhood Agent and Program Neighborhood Client. If NDS is enabled in the server farm, NDS users enter their credentials on an NDS tab on the client logon screen. If users have the Novell Client (Version 4.8) installed, they can browse the NDS tree to choose their context.

• Pass-Through Authentication. If users have the Novell Client (Version 4.8) installed, you can pass their credentials to the server running MetaFrame Presentation Server, eliminating the need for multiple system and application authentications.


To enable pass-through authentication, configure the following policy options in the User Package in ZENworks for Desktops:

1. Enable the Dynamic Local User policy option.

2. Set the Use NetWare Credentials value to On.

• Custom ICA Connections. When users run the Add New ICA Connection wizard, they must enter a distinguished name in the user name field and a password in the password field. Users must leave the domain field blank.

• The Web Interface for MetaFrame Presentation Server. NDS users enter their credentials on an NDS logon screen provided by the Web Interface. See the Web Interface Administrator’s Guide for information about configuring your server for NDS.

Note To use NDS logon information with earlier versions of clients, enter the NDS tree name in the Domain field and a distinguished name in the User field on the client logon screen.

Setting a Default Context for NDSYou can set a default context for NDS for Program Neighborhood and for the Program Neighborhood Agent. To set a default context for NDS, you must configure the particular installer file you are using to deploy the clients:

To set a default context for NDS in the self-extracting executable

1. Extract the client file set from Ica32.exe.

2. Locate and open Appsrv.src in a text editor.

3. Add the following parameter to the [WFClient] section:

DefaultNDSContext=<Context1 [,…]>.

If you are including more than one context, separate the contexts by a comma.

4. Save and close the file.


Using Windows NT Credentials with the Novell Client and Pass-Through AuthenticationIf Program Neighborhood is configured to use pass-through authentication on a client device that has the Novell Client installed, Program Neighborhood, by default, uses the NDS credentials to authenticate the user to the server running MetaFrame Presentation Server. If you want the client to use the user’s Windows NT credentials with pass-through authentication instead, you must add a parameter to the Appsrv.ini file on the client device. You can make the addition to the Windows Installer package before distributing it, or you can configure clients on individual client devices after installation is complete.

To configure individual clients after installation

1. Locate and open the user-level Appsrv.ini file in a text editor. By default, this file is located in the %User Profile%\Application Data\ICA Client directory.

2. Add the following parameter to the [WFClient] section:SSOnCredentialType=NT

3. Save and close the Appsrv.ini file.

Connecting to MetaFrame Presentation Server for UNIX Using the Window ManagerThe window manager allows users to adjust the ICA session display for published resources on servers running MetaFrame Presentation Server for UNIX. With the window manager, users can minimize, resize, position, and close windows, as well as access full screen mode.

About Seamless WindowsIn seamless window mode, published applications and desktops are not contained within an ICA session window. Each published application and desktop appears in its own resizable window, as if it is physically installed on the client device. Users can switch between published applications and the local desktop.

You can also display seamless windows in “full screen” mode, which places the published application in a full screen-sized desktop. This mode lets you access the ctxwm menu system.

Switching between Seamless and Full Screen ModesPress SHIFT+F2 to switch between seamless and full screen modes.


Minimizing, Resizing, Positioning, and Closing WindowsWhen users connect to published resources, window manager provides buttons to minimize, resize, position, and close windows. Windows are minimized as buttons on the taskbar.

When the user closes the last application in a session, the session is logged off automatically after twenty seconds.

Using the Citrix Window Manager Menus In remote desktop and seamless full screen windows, you can use the ctxwm menu system to log off, disconnect, and exit from published applications and connection sessions.

To access the ctxwm menu system

1. On a blank area of the remote desktop window, click and hold down the left mouse button. The ctxwm menu appears.

2. Drag the mouse pointer over Shutdown to display the shutdown options.

To choose an option from the ctxwm menu

Drag the pointer over the required option to select it. Release the mouse button to select the option.

Note The server running MetaFrame Presentation Server can be configured to terminate any applications that are running if a session is disconnected.

To Choose

Terminate the connection and all running applications

Logoff

Disconnect the session but leave the application running

Disconnect

Disconnect the session and terminate the application

Exit


Cutting and Pasting Graphics Using ctxgrab and ctxcaptureIf you are connected to an application published on a server running MetaFrame Presentation Server for UNIX, use ctxgrab or ctxcapture to cut and paste graphics between the ICA session and the local desktop. These utilities are configured and deployed from the server running MetaFrame Presentation Server for UNIX.

Using ctxgrabThe ctxgrab utility is a simple tool you can use to cut and paste graphics from published applications to applications running on the local client device. This utility is available from a command prompt or, if you are using a published application, from the ctxwm window manager.

To access the ctxgrab utility from the window manager

• In seamless mode, right-click the ctxgrab button in the top, left-hand corner of the screen to display a menu and choose the grab option

• In full screen mode, left-click to display the ctxwm menu and choose the grab option

To copy from an application in a client window to a local application

1. From the ctxgrab dialog box, click From screen.

2. To select a window, move the cursor over the window you want to copy and click the middle mouse button.

To select a region, hold down the left mouse button and drag the cursor to select the area you want to copy.

Note: To cancel the selection, click the right mouse button. While dragging, click the right mouse button before releasing the left button.

3. Use the appropriate command in the local application to paste the object.

Using ctxcaptureThe ctxcapture utility is a more fully-featured utility for cutting and pasting graphics between published applications and applications running on the local client device.

With ctxcapture you can:

• Grab dialog boxes or screen areas and copy them between an application in an client window and an application running on the local client device, including non-ICCCM-compliant applications


• Copy graphics between the client and the X graphics manipulation utility xvf

If you are connected to a published desktop, ctxcapture is available from a command prompt. If you are connected to a published application and the administrator has made it available, you can access ctxcapture through the ctxwm window manager.

To access the ctxcapture utility from the window manager

Left-click to display the ctxwm menu and choose the screengrab option.

To copy from a local application to an application in a client window

1. From the ctxcapture dialog box, click From screen.

2. To select a window, move the cursor over the window you want to copy and click the middle mouse button. To select a region, hold down the left mouse button and drag the cursor to select the area you want to copy.Note: To cancel the selection: click the right mouse button. While dragging, click the right mouse button before releasing the left button.

3. From the ctxcapture dialog box, click To ICA. The xcapture button changes color to indicate that it is processing the information.

4. When the transfer is complete, use the appropriate command in the published application window to paste the information.

To copy from an application in a client window to a local application

1. From the application in the client window, copy the graphic.

2. From the ctxcapture dialog box, click From ICA.

3. When the transfer is complete, use the appropriate command in the local application to paste the information.

To copy from xv to an application in a client window or local application

1. From xv, copy the graphic.

2. From the ctxcapture dialog box, click From xv and To ICA.

3. When the transfer is complete, use the appropriate command in the client window to paste the information.

To copy from an application in a client window to xv

1. From the application in the client window, copy the graphic.

2. From the ctxcapture dialog box, click From ICA and To xv.

3. When the transfer is complete, use the paste command in xv.


Supporting Naming Conventions for Your NetworkThe following sections discuss some of the ways in which MetaFrame Presentation Server Clients support the naming conventions you are using in your server farm.

Dynamic Client Name SupportDynamic client name support allows the client name to be the same as the machine name. When users change their machine name, the client name changes to match. This allows you to name machines to suit your naming scheme and find connections more easily when managing your server farm.

If the client name is not set to match the machine name during installation, the client name does not change when the machine name is changed.

Users enable dynamic client name support by selecting Enable Dynamic Client Name during client installation.

To enable dynamic client name support during silent installation, the value of the property ENABLE_DYNAMIC_CLIENT_NAME in your installer file must be Yes. Set the property to No to disable dynamic client name support.

DNS Name ResolutionYou can configure clients that use the Citrix XML Service to request a Domain Name Service (DNS) name for a server instead of an IP address.

Important Unless your DNS environment is configured specifically to use this feature, Citrix recommends that you do not enable DNS name resolution in the server farm.

Program Neighborhood is configured to use TCP/IP+HTTP (the XML Service) browsing by default. Clients connecting to published applications through the Web Interface also use the XML Service. For clients connecting through the Web Interface, the Web server resolves the DNS name on behalf of the client.

DNS name resolution is disabled by default in the server farm and enabled by default on the clients. When DNS name resolution is disabled in the farm, any client request for a DNS name will return an IP address. There is no need to disable DNS name resolution on the client.

Disabling DNS Name ResolutionIf you are using DNS name resolution in the server farm and are having problems with specific client workstations, you can disable DNS name resolution for those workstations using the following procedure.


To disable DNS name resolution on the Clients for Win32

1. Open the user-level Appsrv.ini file. By default, this file is located in the %User Profile%\Application Data\ICA Client directory.

2. Change the line xmlAddressResolutionType=DNS-Port to xmlAddressResolutionType=IPv4-Port.

3. Save and close the Appsrv.ini file.

4. Repeat Steps 1 through 3 for each user of the client workstation.


Securing Client Communication

This chapter discusses measures you can take to secure the communication between your server farm and the clients. You can integrate your client connections to the server farm with a range of security technologies, including:

• A SOCKS proxy server or Secure proxy server (also known as security proxy server, HTTPS proxy server, or SSL tunneling proxy server)

• Secure Gateway for MetaFrame Presentation Server or SSL Relay solutions with Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols

• A firewall

Connecting through a Proxy ServerProxy servers are used to limit access to and from your network, and to handle connections between clients and servers running MetaFrame Presentation Server. The clients support SOCKS and secure proxy protocols.

Program Neighborhood Agent and the Web ClientWhen communicating with the server farm, the Program Neighborhood Agent and the Web Client use proxy server settings that are configured remotely on the server running the Web Interface. See the Web Interface Administrator’s Guide for information about configuring proxy server settings for these clients.

In communicating with the Web server, the Program Neighborhood Agent and the Web Client use the proxy server settings that are configured through the Internet settings of the default Web browser on the client device. You must configure the Internet settings of the default Web browser on the client device accordingly.


Program Neighborhood Program Neighborhood uses proxy server settings you configure locally from the client’s toolbar. You can configure proxy server settings in two ways:

• Enable auto-client proxy detection

• Manually specify the details of your proxy server

Enabling Auto-Client Proxy DetectionIf you are deploying the client in an organization with multiple proxy servers, consider using auto-client proxy detection. Auto-client proxy detection communicates with the local Web browser to discover the details of the proxy server. It is also useful if you cannot determine which proxy server will be used when you configure the client. Auto-client proxy detection requires Internet Explorer 5.0 through 6.0, Service Pack 1, or Netscape for Windows 4.78, and 6.2 through 7.1.

To enable auto-client proxy detection

1. Start Program Neighborhood.

2. If you are configuring an application set:Right-click the application set you want to configure and select Application Set Settings. A Settings dialog box for the application set appears.

If you are configuring an existing custom ICA connection:Right-click the custom ICA connection you want to configure and select Properties. The Properties dialog box for the custom connection appears.

If you are configuring all future custom ICA connections:Right-click in a blank area of the Custom ICA Connections window and select Custom Connections Settings. The Custom ICA Connections dialog box appears.

3. On the Connection tab, click Firewalls.

4. Select Use Web browser proxy settings.

5. Click OK twice.

Go to Document Center Chapter 5 Securing Client Communication 75

Manually Specifying the Details of Your Proxy Server

Note If you are configuring the proxy manually, confirm these details with your security administrator. ICA connections cannot be made if these details are incorrect.

To manually specify the details of your proxy server


2. If you are configuring an application set:Right-click the application set you want to configure and select Application Set Settings. A Settings dialog box for the application set appears.




4. Select the proxy protocol type (SOCKS or Secure (HTTPS)).

5. Enter the proxy address and the port number for the proxy server.

• The default port for SOCKS is 1080

• The default port for secure proxy is 8080

6. Click OK twice.

Configuring the User Name and PasswordSome proxy servers require authentication, prompting you for a user name and password when you enumerate resources or open an ICA connection. You can avoid these prompts by configuring the client to pass the credentials without user intervention. You can create settings that:

• Apply to one or several existing custom ICA connections

-or-

• Act as the default for all future custom ICA connections to be created using the Add ICA Connection wizard


To create a setting for one or several existing custom ICA connections

1. Exit Program Neighborhood if it is running. Make sure all Program Neighborhood components, including the Connection Center, are closed.

2. Open the individual’s user-level Appsrv.ini file (default directory: %User Profile%\Application Data\ICAClient) in a text editor.

3. Locate the [ServerLocation] section, where ServerLocation is the name of the connection you want to configure.

4. Locate the DoNotUseDefaultCSL property of that [ServerLocation] section.

• If the value of DoNotUseDefaultCSL is On, perform the following steps:

Add the following lines to that [ServerLocation] section:

ProxyUsername=<user name>

ProxyPassword=<password>

where user name is the user name recognized by the SOCKS server and password is the password associated with the user name recognized by the proxy server.

• If the value of DoNotUseDefaultCSL is Off, or if the parameter is not present, perform the following steps:

Add the following lines to the [WFClient] section:

ProxyUsername=<user name>

ProxyPassword=<password>

where user name is the user name recognized by the SOCKS server and password is the password associated with the user name recognized by the proxy server.

5. Repeat Steps 3 and 4 for any additional connections if applicable.

6. Save your changes.

Note Users can override the default setting from within a particular custom ICA connection’s Properties dialog box.

To create a default for all future custom ICA connections

1. Exit Program Neighborhood if it is running and make sure all Program Neighborhood components, including the Connection Center, are closed.



3. Locate the section named [WFClient].

4. Add the following lines to the list of parameters and values in the [WFClient] section:ProxyUsername=<user name>ProxyPassword=<password>where user name is the user name recognized by the SOCKS server and password is the password associated with the user name recognized by the proxy server.


Note Users can override the default setting from within a particular custom ICA connection’s Properties dialog box.

Connecting with the Secure Gateway or Citrix SSL RelayYou can integrate the clients with the Secure Gateway or SSL Relay service. The clients support both SSL and TLS protocols.

• SSL provides strong encryption to increase the privacy of your ICA connections and certificate-based server authentication to ensure the server you are connecting to is a genuine server.

• TLS (Transport Layer Security) is the latest, standardized version of the SSL protocol. The Internet Engineering Taskforce (IETF) renamed it TLS when it took over responsibility for the development of SSL as an open standard. TLS secures data communications by providing server authentication, encryption of the data stream, and message integrity checks. Because there are only minor technical differences between SSL Version 3.0 and TLS Version 1.0, the certificates you use for SSL in your software installation will also work with TLS. Some organizations, including US government organizations, require the use of TLS to secure data communications. These organizations may also require the use of validated cryptography, such as FIPS 140 (Federal Information Processing Standard). FIPS 140 is a standard for cryptography.


The Secure GatewayYou can use the Secure Gateway in either Normal mode or Relay mode. No client configuration is required if you are using the Secure Gateway in Normal mode and users are connecting through the Web Interface.

If you are using the Secure Gateway in Relay mode, the Secure Gateway server functions as a proxy and you must configure the client to use:

• The fully qualified domain name (FQDN) of the Secure Gateway server.

• The port number of the Secure Gateway server. Note that Relay mode is not supported by Secure Gateway Version 2.0.

Important The FQDN must list, in sequence, the following three components:

• Host name

• Intermediate domain

• Top-level domain

For example: my_computer.my_company.com is an FQDN, because it lists, in sequence, a host name (my_computer), an intermediate domain (my_company), and a top-level domain (com). The combination of intermediate and top-level domain (my_company.com) is generally referred to as the domain name.

Program Neighborhood Agent and Web ClientThe Program Neighborhood Agent and the Web Client use settings that are configured remotely on the server running the Web Interface to connect to servers running the Secure Gateway. See the Web Interface Administrator’s Guide for information about configuring proxy server settings for these clients.

Program NeighborhoodTo configure the details of your Secure Gateway server

1. Make sure the client device meets all system requirements outlined in this guide.



3. If you are configuring an application set:Right-click the application set you want to configure and select Application Set Settings. A configuration dialog box for the application set appears.



4. If you are configuring an application set or an existing custom ICA connection:From the Network Protocol menu, select SSL/TLS+HTTPS.

If you are configuring all future custom ICA connections:From the Network Protocol menu, select HTTP/HTTPS.


6. Enter the FQDN of the Secure Gateway server in the Secure gateway address box.

7. Enter the port number in the Port box.

8. Click OK twice.

Citrix SSL RelayBy default, Citrix SSL Relay uses TCP port 443 on the server running MetaFrame Presentation Server for SSL/TLS-secured communication. When the SSL Relay receives an SSL/TLS connection, it decrypts the data before redirecting it to the server running MetaFrame Presentation Server, or, if the user selects SSL/TLS+HTTPS browsing, to the Citrix XML Service.

You can use Citrix SSL Relay to secure communications:

• Between an SSL/TLS-enabled client and a server running MetaFrame Presentation Server. Connections using SSL/TLS encryption are marked with a padlock icon in Citrix Connection Center.

• With a server running the Web Interface, between the server running MetaFrame Presentation Server and the Web server.

For information about configuring and using SSL Relay to secure your installation, see the MetaFrame Presentation Server Administrator’s Guide. For information about configuring the server running the Web Interface to use SSL/TLS encryption, see the Web Interface Administrator’s Guide.


System RequirementsIn addition to the system requirements listed, you also must ensure that:

• The client device supports 128-bit encryption

• The client device has a root certificate installed that can verify the signature of the Certificate Authority on the server certificate

• The client is aware of the TCP listening port number used by the SSL Relay service in the server farm

If you are using Internet Explorer and you are not certain about the encryption level of your system, visit Microsoft’s Web site at http://www.microsoft.com/ to install a service pack that provides 128-bit encryption.

Note The clients support certificate key lengths of up to 4096 bits. Ensure that the bit lengths of your Certificate Authority root and intermediate certificates, and those of your server certificates, do not exceed the bit length your clients support, or connection may fail.

About Root CertificatesSee “Installing Root Certificates on the Clients” on page 83 for information about root certificates.

Important All secure systems need to be maintained. Ensure that you apply any service packs or upgrades that Microsoft recommends.

Using Citrix SSL Relay with Non-Standard TCP PortsBy default, Citrix SSL Relay uses TCP port 443 on the server running MetaFrame Presentation Server for SSL/TLS-secured communication. If you configure SSL Relay to listen on a port other than 443, you must make the client aware of the non-standard listening port number.

In Program Neighborhood, users can change the port number in the Firewall Settings dialog box. For step-by-step instructions, see the Program Neighborhood online help.

To apply a different listening port number for all connections

1. Make sure all client components, including the Connection Center, are closed.




3. Locate the [WFClient] section.Set the value of the SSLProxyHost parameters as follows:SSLProxyHost=*:<SSL relay port number>,where <SSL relay port number> is the number of the listening port.


To apply a different listening port number to particular connections only

1. Make sure all client components, including the Connection Center, are closed.


3. Locate the particular [Connection_Section].Set the value of the SSLProxyHost parameters as follows:SSLProxyHost=*:<SSL relay port number>,where <SSL relay port number> is the number of the listening port.

4. Repeat Step 3 for all connection sections for which you want to specify a different listening port number.


Configuring and Enabling Clients for SSL and TLSSSL and TLS are configured in the same way, use the same certificates, and are enabled simultaneously.

When SSL and TLS are enabled, each time you initiate a connection the client tries to use TLS first, then tries SSL. If it cannot connect with SSL, the connection fails and an error message appears.

Forcing TLS Connections for all ClientsTo force the clients (including the Web Client) to connect with TLS, you must specify TLS on the Secure Gateway server or SSL Relay service. See the Secure Gateway for Windows Administrator’s Guide or SSL Relay service documentation for more information.

To configure Program Neighborhood to use SSL/TLS


2. Open Program Neighborhood.


3. If you are configuring an application set to use SSL/TLS:Right-click the application set you want to configure and select Application Set Settings. A Settings dialog box for the application set appears.

If you are configuring an existing custom ICA connection to use SSL/TLS:Right-click the custom ICA connection you want to configure and select Properties. The Properties dialog box for the custom connection appears.

If you are configuring all future custom ICA connections to use SSL/TLS:Right-click in a blank area of the Custom ICA Connections window and select Custom Connections Settings. The Custom ICA Connections dialog box appears.

4. If you are configuring an application set or an existing custom ICA connection:From the Network Protocol menu, select SSL/TLS+HTTPS.

If you are configuring all future custom ICA connections:From the Network Protocol menu, select HTTP/HTTPS.

5. Add the fully qualified domain name of the SSL/TLS-enabled servers running MetaFrame Presentation Server to the Address List.

6. Click OK.

To configure the Program Neighborhood Agent to use SSL/TLS


2. To use SSL/TLS to encrypt application enumeration and launch data passed between the Program Neighborhood Agent and the server running the Web Interface, configure the appropriate settings using the Web Interface. You must include the machine name of the server running MetaFrame Presentation Server that is hosting the SSL certificate.

3. To use secure HTTP (HTTPS) to encrypt the configuration information passed between the Program Neighborhood Agent and the server running the Web Interface, enter the server URL in the format https://<servername> on the Server tab of the Program Neighborhood Agent Properties dialog box.

To configure the Appsrv.ini file to use TLS

1. Exit the client if it is running. Make sure all client components, including the Connection Center, are closed.



3. Locate the section named [WFClient].Set the values of these two parameters as follows:SSLCIPHERS={GOV | All}SECURECHANNELPROTOCOL={TLS | Detect} Set the value to TLS, or Detect to enable TLS. If Detect is selected, the client tries to connect using TLS encryption. If a connection using TLS fails, the client tries to connect using SSL.


Meeting FIPS 140 Security RequirementsTo meet FIPS 140 security requirements, you must include the following parameters in the Default.ica file on the server running the Web Interface or in the user-level Appsrv.ini file of the local client device. See the Web Interface Administrator’s Guide for additional information about the Default.ica file.

To configure the Appsrv.ini file to meet FIPS 140 security requirements

1. Exit the client if it is running. Make sure all client components, including the Connection Center, are closed.


3. Locate the section named [WFClient].

4. Set the values of these three parameters as follows:SSLENABLE=OnSSLCIPHER=GOVSECURECHANNELPROTOCOL=TLS


Installing Root Certificates on the ClientsTo use SSL/TLS to secure communications between SSL/TLS-enabled clients and the server farm, you need a root certificate on the client device that can verify the signature of the Certificate Authority on the server certificate.

The clients support the Certificate Authorities that are supported by the Windows operating system. The root certificates for these Certificate Authorities are installed with Windows and managed using Windows utilities. They are the same root certificates that are used by Microsoft Internet Explorer.


If you use your own Certificate Authority, you must obtain a root certificate from that Certificate Authority and install it on each client device. This root certificate is then used and trusted by both Microsoft Internet Explorer and the client.

Depending on your organization’s policies and procedures, you may want to install the root certificate on each client device instead of directing users to install it. If you are using Windows 2000 with Active Directory on all client devices, you can deploy and install root certificates using Windows 2000 Group Policy. See your Microsoft Windows 2000 documentation for more information.

Alternatively, you may be able to install the root certificate using other administration or deployment methods, such as:

• Using the Microsoft Internet Explorer Administration Kit (IEAK) Configuration Wizard and Profile Manager

• Using third-party deployment tools

Make sure that the certificates installed by your Windows operating system meet the security requirements for your organization, or use the certificates issued by your organization’s Certificate Authority.

Securing the Program Neighborhood Agent with SSL/TLSMake sure the client device meets all system requirements outlined in this guide.

To use SSL/TLS encryption for all communications between the Program Neighborhood Agent, MetaFrame Presentation Server, and the server running the Web Interface, the following configuration is necessary.

On the Server Running the Web Interface To use SSL/TLS to secure the communications between the Program Neighborhood Agent and the Web server

1. Select Server Settings from the Configuration settings menu.

2. Select Use SSL/TLS for communications between clients and the Web server.


Selecting SSL/TLS changes all URLs to use HTTPS protocol.


On the Server Running MetaFrame Presentation ServerTo use SSL/TLS to secure the communications between the Program Neighborhood Agent and MetaFrame Presentation Server

1. In the MetaFrame Presentation Server Console, open the Properties dialog box for the application you want to secure.

2. On the ICA Client Options tab, ensure that you select the Enable SSL option .

3. Reapeat these steps for each application you want to secure.

For more information, see the MetaFrame Presentation Server Administrator’s Guide.

To use the SSL Relay to secure communications between MetaFrame Presentation Server and the server running the Web Interface

Using the Web Interface, you must specify the machine name of the server hosting the SSL certificate. See the Web Interface Administrator’s Guide for more information about using SSL/TLS to secure communications between MetaFrame Presentation Server and the Web server.

On the Client DeviceThis section assumes that a valid root certificate is installed on the client device. See “Installing Root Certificates on the Clients” on page 83 for more information.

To use SSL/TLS to secure the communications between the Program Neighborhood Agent and the server running the Web Interface


2. The Server tab displays the currently configured URL. Click Change and enter the server URL in the dialog box that appears. Enter the URL in the format https://<servername> to encrypt the configuration data using SSL/TLS.

3. Click Update to apply the change and return to the Server tab, or click Cancel to cancel the operation.

4. Click OK to close the Properties dialog box.

5. Enable SSL/TLS in the client browser. For more information about enabling SSL/TLS in the client browser, see the online Help for the browser.


Enabling Smart Card LogonThis section assumes that smart card support is enabled on the server running MetaFrame Presentation Server, and that the client device is properly set up and configured with third party smart card hardware and software. Refer to the documentation that came with your smart card equipment for instructions about deploying smart cards within your network.

The smart card removal policy set on MetaFrame Presentation Server determines what happens if you remove the smart card from the reader during an ICA session. The smart card removal policy is configured through and handled by the Windows operating system. For more information about enabling smart card support, see “Smart Card Support” on page 46.

Smart Card Logon with Pass-Through AuthenticationPass-through authentication requires a smart card inserted in the smart card reader at logon time only. With this logon mode selected, the client prompts the user for a smart card PIN (Personal Identification Number) when it starts up. Pass-through authentication then caches the PIN and passes it to the server every time the user requests a published resource. The user does not have to subsequently reenter a PIN to access published resources or have the smart card continuously inserted.

If authentication based on the cached PIN fails or if a published resource itself requires user authentication, the user continues to be prompted for a PIN.

For more information about pass-through authentication, see “SSPI/Kerberos Security for Pass-Through Authentication” on page 47.

Smart Card Logon without Pass-Through AuthenticationDisabling pass-through authentication requires a smart card to be present in the smart card reader whenever the user accesses a server. With pass-through disabled, the client prompts the user for a smart card PIN when it starts up and every time the user requests a published resource.


Connecting through a FirewallNetwork firewalls can allow or block packets based on the destination address and port. If you are using the clients through a network firewall that maps the server’s internal network IP address to an external Internet address (that is—network address translation, or NAT), perform the following steps:

To connect to a server through a firewall

1. Open Program Neighborhood.

2. If you are configuring an application set:Right-click the application set you want to configure and select Application Set Settings. A configuration dialog box for the application set appears.

If you are configuring a custom ICA connection:Right-click the custom ICA connection you want to configure and select Custom Connections Settings. The Custom ICA Connections dialog box appears.

3. Click Add. The Add Server Location Address dialog box appears.

4. Enter the external Internet address of the server running MetaFrame Presentation Server.

5. Click OK. The external Internet address you added appears in the Address List.

6. Click Firewalls.

7. Select Use alternate address for firewall connection.

8. Click OK twice.

Important All servers in the server farm must be configured with their alternate (external) address. See the MetaFrame Presentation Server Administrator’s Guide for more information.


Updating Client Software

This chapter explains how to deploy client updates across your network. The following topics are covered:

• The Client Update Process

• Using the ICA Client Update Configuration Utility

• Specifying a Default Client Update Database

• Configuring Default Client Update Options

• Adding Clients to the Client Update Database

• Removing a Client from the Client Update Database

• Changing the Properties of the Client

About the Client Auto Update FeatureThe clients for 32-bit Windows are available from a single Microsoft Windows Installer (.msi) package referred to as the Client Packager. If your network is based on Windows 2000 or Windows 2003, you can take advantage of Microsoft Systems Management Server or Active Directory to deploy updated versions of these clients using the Client Packager. For more information about the Client Packager, see “Deploying Your Installation Files” on page 27.

To deploy updates to the Web Client, or if your network does not have Systems Management Server or Active Directory Services available, you can use the Client Auto Update feature to deploy and install client updates using self-extracting executable (.exe) files.

The Client Auto Update feature is a convenient network management tool. It monitors client version numbers as users log on to a server running MetaFrame Presentation Server and updates client installations network-wide as appropriate to a version you specify.


Typically, you use Client Auto Update to deploy the latest release of the clients on your network. You can also use this feature to revert to a previous version of a client. Visit the Download page of the Citrix Web site (http://www.citrix.com) frequently for the latest releases and documentation of the clients.

As new versions of clients become available, you add them to the client update database. When a client logs on to a server running MetaFrame Presentation Server, the server queries the client to detect its version number. If the version matches the one in the client update database, the logon continues. Otherwise, the user is informed that an update to the client is available for download. The client is then updated according to the options you set in the database.

Important You cannot automatically update previous versions of the client installed with Windows Installer (.msi) packages. You must redeploy a client installer package when a new version of the client is released.

Client Auto Update works with all network protocols supported by ICA (TCP/IP, IPX, NetBIOS, and asynchronous). Client Auto Update also:

• Automatically detects client versions

• Copies new files over any ICA connection without user intervention

• Provides administrative control of update options for each client

• Updates clients from a single database on a network share point

• Safely restores older client versions when needed

The Client Update ProcessYou identify clients by platform and by product and model number. The version number is assigned when new clients are released.

The process of updating clients with new versions uses the standard ICA protocol:

• By default, MetaFrame Presentation Server informs the user of newly available client updates and asks to perform the update. Optionally, you can specify that the update be performed without informing the user and without allowing the user to cancel the update.

• By default, users can choose between waiting for the download to complete or downloading the files in the background while they continue to work. Users connecting to the server farm with a modem obtain better performance waiting for the update process to complete. Optionally, you can force the client update to complete before allowing the user to continue.

http://www.citrix.com

Go to Document Center Chapter 6 Updating Client Software 91

• During the update, new client files are copied to the user’s computer. Optionally, you can force the user to disconnect and complete the update before continuing the session. To continue working, the user must log onto the server farm again.

• When the user disconnects from the server and closes all client programs, the client update process finishes.

• As a safeguard, the existing client files are saved to a folder named Backup in the Citrix\ICA Client subdirectory of the Program Files folder on the user’s local drive.

Configuring the Client Update DatabaseYou can configure a client update database on each server in a server farm or configure one database to update the clients for multiple servers running MetaFrame Presentation Server.

The client update database contains several clients. As Citrix releases new versions of the clients, you add them to the client update database.

Using the ICA Client Update Configuration UtilityUse the ICA Client Update Configuration utility to manage the client update database. From this utility, you can:

• Create a new update database

• Specify a default update database

• Configure the properties of the database

• Configure client update options

• Add new clients to the database

• Remove outdated or unnecessary clients

• Change the properties of a client in the database

The following sections give an overview of the Client Update Configuration utility. For details, see the utility’s online help.


To start the ICA Client Update Configuration utility

• From a server running MetaFrame Presentation Server: From the Citrix program group in the Start menu, select Administration Tools > ICA Client Update Configuration.

• From a MetaFrame XP server: From the Start menu, choose Programs > Citrix > MetaFrame XP > ICA Client Update Configuration.

• From a MetaFrame 1.8 server: From the Start menu, choose Programs > MetaFrame Tools > ICA Client Update Configuration.

In the Client Update Configuration window, the status bar shows the location of the current update database, that MetaFrame Presentation Server uses to update clients. The window shows the clients in the database.

This screen capture shows the Details view of the ICA Client Update Configuration window, which lists installed Clients, their states, versions, product codes, model numbers, variants, and comments.

Note Citrix MetaFrame Presentation Server for UNIX Operating Systems does not use the Client Update Database. To use the Client Update Database, you must have MetaFrame 1.8, MetaFrame XP, or MetaFrame Presentation Server for Windows running on the servers in your server farm.

Creating a New Client Update DatabaseThe ICA Client Distribution wizard creates the Client Update Database in the directory %Program Files%\Citrix\ICA\ClientDB. You can create a new update database in any location on a server drive or on a network share point.


To create a new update database

1. From the Database menu, choose New.

2. In the Path for the new Client Update Database dialog box, type the path for the new update database and click Save.

The utility creates a new update database in the specified location and opens the new database.

Specifying a Default Client Update DatabaseYou can configure one client update database to be used by multiple servers running MetaFrame Presentation Server. If the client update database is on a shared network drive, use the ICA Client Update Configuration utility to configure your servers to use the same shared database.

To set the default database for MetaFrame Presentation Server

1. From the Database menu, choose Open.

2. In the Open Existing Database dialog box, type the path to the default database and click Open.

3. From the Database menu, choose Set Default.:

This screen capture shows the Set Default Database dialog box, which provides a tree view of Citrix servers, one of which you can choose to have the Client Update Database set as its default.


4. Select Set as Default Database on Local Machine to make the currently opened database the default database. You can also set other servers to use the currently open database as the default database.

5. Expand the node for a domain name to view the servers in that domain. Click a server to set its default database to the currently open database. You can select multiple servers by holding down the CTRL key and clicking each server.

6. Click OK.

Configuring Default Client Update OptionsUse the Database Properties dialog box to configure overall database-wide settings for the current client update database.

To configure database properties

1. From the Database menu, choose Properties.The Database Path dialog box displays the path and file name of the database you are configuring.

This screen capture shows the Database Properties dialog box, which displays the database path being configured and provides options for setting default update properties for clients and for setting the maximum number of simultaneous updates allowed on the server.

2. For this database to perform client updates, select Enabled.


Tip If the clients do not need to be updated, disable the database to shorten logon time for your users.

The options in the Default update properties for clients section specify the default behavior for the clients added to the database. You can also set properties for individual clients (as described later in this chapter). Individual client properties override the database properties.

• Under Client Download Mode, select Ask user to give the user the choice to accept or postpone the update process. Select Notify user to notify the user of the update and require the client update. Select Transparent to update the user’s client without notifying or asking the user.

• Under Version Checking, select Update older client versions only to update only client versions that are older than the new client. Select Update any client version with this client to update both earlier and later versions of the client to this version; choose this option to force an older client to replace a newer client.

• Under Logging, select Log downloaded clients to write an event to the event log when a client is updated. By default, errors that occur during a client update are written to the event log. Clear the Log errors during download check box to turn this option off.

• Under Update Mode, select the Force disconnection option to require users to disconnect and complete the update process after downloading the new client. The Allow background download option is selected by default to allow users to download new client files in the background while they continue to work. Clear this check box to force users to wait for all client files to download before continuing.

3. Specify the number of simultaneous updates on the server. When the specified number of updates is reached, new client connections are not updated. When the number of client updates is below the specified number, new client connections are updated.

4. Click OK when you finish configuring the database settings.


Adding Clients to the Client Update DatabaseWhen you want to deploy a newer version of the client software, add it to the Client Update Database. You can download the latest client software from the Citrix Web site at http://www.citrix.com/download.

To add client software to the Client Update Database

1. From the Client menu, click New to display the Description screen.

2. In the Client Installation File box, browse to or enter the path to the client installation file Update.ini.

3. The client name, product number, model number, and version number are displayed. The Comment text box displays a description of the new client. You can modify this comment. Click Next to continue.

4. The Update Options dialog box appears. The options in this dialog box specify how the client update process occurs for this client. The database-wide update options are displayed. You can specify different behavior for individual clients. For definitions of the options in this dialog box, see the online help for this dialog box. Click Next when you finish configuring the client update options.

5. The Event Logging dialog box appears.The database-wide logging options are displayed. You can specify different behavior for individual clients. Select Log Downloaded Clients to write an event to the event log when this client is updated. By default, errors that occur during a client update are written to the event log. Clear the Log Errors During Download check box to turn this option off. Click Next to continue.

6. The Enable Client dialog box appears.

The Client Update Database can contain multiple versions of client software with the same product and model numbers. For example, when Citrix releases a new version of the MetaFrame Presentation Server Client for 32-bit Windows, you add it to the Client Update Database. However, you can enable only one version of the client. The enabled client is used for client updating.

7. Click Finish to copy the client installation files to the Client Update Database.

Removing a Client from the Client Update DatabaseIt is important to delete clients that are not used from the client update database. A database with multiple versions of the same client unnecessarily slows the checking procedure that is carried out each time a user connects to the server.

To remove a client from the database

1. In the Client Update Configuration window, select the client you want to remove from the database.

http://www.citrix.com/download


2. From the Client menu, choose Delete. A message box asks you to confirm the deletion.

3. To remove the client, click Yes.

Changing the Properties of the ClientUse the Properties dialog box to set properties for an individual client. Individual client properties override the database properties.

To change the properties of a client

1. In the ICA Client Update Configuration window, select the client whose properties you want to edit.

2. On the Client menu, choose Properties.The Properties dialog box contains tabs labeled Description, Update Options, Event Logging, and Client Files.The Description tab of the Properties dialog box lists the client name, product number, model number, and version number.

3. To update the same platform client to this version, select Enabled.

4. Use the Update Options tab to configure update options for the client.

• Under Client Download Mode, select Ask user to give the user the choice of accepting or postponing the update process. Select Notify user to notify the user of the update and require the client update. Select Transparent to update the user’s client software without notifying or asking the user.

• Under Version Checking, select Update older client versions only to update only client versions that are older than the new client. Select Update any client version with this client to update all client versions to this version. Select this option to force an older client to replace a newer client.

• Select the Force Disconnection option to require users to disconnect and complete the update process after downloading the new client.

• Select the Allow Background Download option to allow users to download new client files in the background while they continue to work. Clear this check box to force users to wait for all client files to download before continuing.

• Type a message to be displayed to users when they connect to the server.


5. Use the Event Logging tab to configure logging settings for this client.

• Select the Log Downloaded Clients option to write an event to the event log when a client is updated

• Select the Log Errors During Download option to write errors that occur during a client update to the event log

6. Use the Client Files tab to view the list of files associated with this client.

7. Click OK when you finish configuring the settings for the client.

Go to Document Center Index 99

Index

AAccess Client for MetaFrame 18accessing documentation, with Document Center 15Acrobat Reader, requirements 15application set 36auto-client proxy detection 74auto-client reconnect 50Auto-Locate

and Program Neighborhood 41incompatibility with UDP broadcasts 41

Ccertificate revocation list checking 46Citrix XML Service 38Client Auto Update 89

configuration utility 91update process 90

client detection of proxy servers 74client devices, mapping 54–59

client audio 58client COM ports 57client drives 55client printers 56turning off 54

client feature matrix 8client installation disks for Program Neighborhood 28client name, dynamic 71Client Update Database 91

adding clients 96changing client properties 97configuring default update options 94creating a new database 92removing clients 96specifying a default database 93

clients, new features 12custom ICA connection 37

Ddefault network protocol, for ICA browsing 39deploying clients

from a network share point 27from a web page 28with Active Directory Services 27with Systems Management Server 27

dial-up requirements for Program Neighborhood 38digital dictation support 15, 63DNS name resolution 71Document Center 15dynamic client name 71

EEnhanced MetaFile Format (EMF) 12, 64extended parameter passing 59–62

and the Windows Registry 62determining the client executable 60identifying published applications 61including arguments 62

Ffeatures

matrix of 8new in this release 12

FIPS 140 security 83firewalls 87fully qualified domain name (FQDN) 78

IICA browsing 38–42

changing network protocols 39–42default network protocol 39SSL/TLS+HTTPS 40TCP/IP 41TCP/IP+HTTP 39


installation filescabinet files 20configuring 20MSI package 19on a client installation disk 28self-extracting executables 20

installation optionsProgram Neighborhood 30Program Neighborhood Agent 29Web Client 30

KKerberos security 47–50keyboard shortcuts, support for 14, 65

Llow-bandwidth connections, improving performance over

42

Mmapping client audio 58mapping client devices 54–59

client audio 58client COM ports 57client drives 55client printers 56turning off 54

MetaFrame Presentation Server for UNIX 67–70ctxcapture 69ctxgrab 69seamless windows 67window manager 67

monitors, configuring multiple 64

Nnetwork address translation (NAT) 87network protocol for ICA browsing 39–42new features 12Novell Directory Services (NDS) support 65–67

setting a default context 66NTLM (Windows NT Challenge/Response) support 45

Ppass-through authentication

and SSPI/Kerberos security 47–50enabling during install 30–31for NDS users 65

PDA synchronization 13, 53Philips SpeechMike 63printing

using Enhanced MetaFile Format (EMF) 12, 64Program Neighborhood

application set 36Auto-Locate 41configuring Secure Gateway for MetaFrame 78configuring SSL/TLS 81connection methods 37–38creating client installation disks 28custom ICA connection 37installation options 30multiple server farms 39Quick Launch Bar 13, 51requirements for RAS or DUN 38silent user installation 26SSL/TLS default port 40

Program Neighborhood Agentchanging server URL 35configuration file on Web Interface server 9configuring SSL/TLS 82customizing 34installation options 29overview 33secure communication (SSL/TLS) 84–85silent user installation 24

proxy server configuration 73–77automatic client detection 74passing credentials automatically 75

published resources, connecting to 36

RRAS requirements, for Program Neighborhood 38root certificates, installing on client devices 83

SSecure Gateway for MetaFrame

configuring Program Neighborhood 78server farms

accessing multiple with Program Neighborhood 39Server URL

for Program Neighborhood Agent 35session reliability 51shortcuts to published resources 33silent installation 20smart card logon

configuration using the clients 46configuring policy 86

Go to Document Center Index 101

sound supportmapping client audio 58

SpeedScreen browser acceleration 50SSL

installing root certificates on client devices 83system requirements on client devices 80

SSL Relaynon-standard TCP ports 80overview 79

SSL/TLSconfiguring Program Neighborhood 81configuring Program Neighborhood Agent 82default port for ICA connections 40

SSL/TLS+HTTPS for ICA browsing 40SSPI/Kerberos security 47–50

TTCP ports, and SSL Relay 80TCP/IP for ICA browsing 41TCP/IP+HTTP for ICA browsing 39TLS

configuring Appsrv.ini 82definition 77forcing clients to use 81installing root certificates on client devices 83system requirements on client devices 80

TWAIN redirection support 13, 54

UUDP broadcasts

for ICA browsing 41incompatibility with Auto-Locate 41

UNIX, MetaFrame Presentation Server for 67–70

WWeb Client

installation options 30silent user installation 25two versions of 9

Web Interfaceconfiguring Program Neighborhood Agent 9

Windows key combinations, support for 14, 65Windows NT Challenge/Response (NTLM) support 45Winscribe software 63workspace control 52–59

XXML Service 38

CITRIX R

Documents

Transcript of CITRIX R